Cloudsmith - Repositories - myob (myob) - appsec (appsec) - trufflehog

Package Search Help

You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.

Search by package name:
my-package _(implicit)
name:my-package _(explicit)

Search by package filename:
filename:my-package.ext

Search by package tag:
tag:latest

Search by package version:
version:1.0.0 prerelease:true _{(prereleases)}
prerelease:false _{(no prereleases)}

Search by package architecture:
architecture:x86_64

Search by package distribution:
distribution:el

Search by package license:
license:MIT

Search by package format:
format:deb

Search by package status:
status:in_progress

Search by package file checksum:
checksum:5afba

Search by package security status:
severity:critical

Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000

Search by # of package downloads:
downloads:>8
downloads:<100

Search by package type:
type:binary
type:source

Search by package size (bytes):
size:>50000
size:<10000

Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0

Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"

Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY

Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true

Search by repository:
repository:repo-name

Search queries for all Debian-specific (and related) package types

Search by component:
deb_component:unstable

Search queries for all Maven-specific (and related) package types

Search by group ID:
maven_group_id:org.apache

Search queries for all Docker-specific (and related) package types

Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)

Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)

Field type modifiers (depending on the type, you can influence behaviour)

For all queries, you can use:
~foo for negation

For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching

For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal

Need a secure and centralised artifact repository to deliver Alpine, Cargo, CocoaPods, Composer, Conan, Conda, CRAN, Dart, Debian, Docker, Go, Helm, Hex, LuaRocks, Maven, npm, NuGet, P2, Python, RedHat, Ruby, Swift, Terraform, Vagrant, Raw & More packages?

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.

With support for all major package formats, you can trust us to manage your software supply chain.

Start My Free Trial

Set Me Up

Public — myob / appsec

public appsec packages

trufflehog 0ef3c29311c8a9cdabc3ae4bc2c…

Download

One-liner (summary)

A certifiably-awesome package curated by ops-arch bot, hosted by Cloudsmith.

Description

A certifiably-awesome package curated by ops-arch bot, hosted by Cloudsmith.

License

Unknown

Size

35.6 MB

Downloads

Tags

image amd64 linux 5db7cd6f4e56c0f142f…

Status	Completed
GPG Signature	Download
Storage Region	Dublin, Ireland
Type	Binary (contains binaries and binary artifacts)
Uploaded At	1 year, 6 months ago
Uploaded By
Slug Id	trufflehog-Mbw
Unique Id	tOCx1WxJ5KtP
Version (Raw)	0ef3c29311c8a9cdabc3ae4bc2ce3aff3552841a4cb19cddeda591b6e2aea112
Version (Parsed)	Type: Unknown
	docker-specific metadata
Image Digest	sha256:0ef3c29311c8a9cdabc3ae4bc2ce3aff3552841a4cb19cddeda591b6e2aea112
Config Digest	sha256:b162bdddb5c9c6818c4ed22741dfa09f347e902341037363527e79af27f0df6c
V1 OCI Index Digest	sha256:90fca49182896bab5eaeb5796c550fd1508ba6ee0e39a7fce9d5c7cc13ba7298
V1 Distribution (Signed) Digest	sha256:e84bcbc0e1f106bde49f948694b8368eb88bb86eee725de02d6f75d224d08c4e
V1 OCI Digest	sha256:0c2e9a7545cc7ec3baa989c2ed8d28b845f59b349b77bb99ab112264f56d4456
V2 Distribution List Digest	sha256:6e7061b186b4a28c60cfd6c29dbfb97d62025a9d177a541da9757af94ce74c89
V1 Distribution Digest	sha256:ff55ee7832769b9b1a5cf27e1edf1866647717372e90cdfed44795a6a5f6eb55
V2 Distribution Digest	sha256:0ef3c29311c8a9cdabc3ae4bc2ce3aff3552841a4cb19cddeda591b6e2aea112
	extended metadata
Manifest Type	V2 Distribution
Architecture	amd64
Config	Attach Stderr Attach Stdin Attach Stdout Entrypoint /entrypoint.sh Env GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D \| LANG=C.UTF-8 \| PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \| PYTHON_GET_PIP_SHA256=22b849a10f86f5ddf7ce148ca2a31214504ee6c83ef626840fde6e5dcd809d11 \| PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/c6add47b0abf67511cdfb4734771cbab403af062/public/get-pip.py \| PYTHON_PIP_VERSION=23.2.1 \| PYTHON_SETUPTOOLS_VERSION=65.5.1 \| PYTHON_VERSION=3.11.6 Image sha256:76124d812113f5fd59a142b671e5ef047606acbc1e12b9e430843d87ab1218e3 Open Stdin Stdin Once Tty
Container	e847106723988861fe17f3cff809838c3914c8d3fff98f140e028fad95dfa9a5
Container Config	Attach Stderr Attach Stdin Attach Stdout Cmd /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.sh"] Entrypoint /entrypoint.sh Env GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D \| LANG=C.UTF-8 \| PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \| PYTHON_GET_PIP_SHA256=22b849a10f86f5ddf7ce148ca2a31214504ee6c83ef626840fde6e5dcd809d11 \| PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/c6add47b0abf67511cdfb4734771cbab403af062/public/get-pip.py \| PYTHON_PIP_VERSION=23.2.1 \| PYTHON_SETUPTOOLS_VERSION=65.5.1 \| PYTHON_VERSION=3.11.6 Hostname e84710672398 Image sha256:76124d812113f5fd59a142b671e5ef047606acbc1e12b9e430843d87ab1218e3 Open Stdin Stdin Once Tty
Created	2023-11-14 21:37:13 UTC
Docker Version	20.10.25
Os	linux

This package was uploaded with the following V2 Distribution manifest:

{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 9103,
      "digest": "sha256:736c6577f9b8189bbe4ce7799da28a762d80f6f3ebefe99db92476c5be0999e5"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 3401967,
         "digest": "sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 622324,
         "digest": "sha256:430548f4d4bf7cdf8dc1e14a535a6ae863ecace3300d9f2b84ced5df27d88721"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 12858227,
         "digest": "sha256:9ae8a48eae0348021298d595580e3bc544c4d77b1f60f0e6a1774c93bfa64515"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 240,
         "digest": "sha256:2d30bba99930234541d0f4a894c86eeabafd1aa045421eef4fcc18509305fec8"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 3109410,
         "digest": "sha256:3d288dfecc47052f2f766d9f21ead2cb7370bae50fed29ad2e4dbf46d0d572b7"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 4989277,
         "digest": "sha256:0baca218625892a3dbb7b079c5e05644a8825104f7def39b94417eb9e5b7a0d1"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 5721671,
         "digest": "sha256:280382a926400435fae55474d2e8bda714fc3279613250729b25cd79650a6fbc"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 1925610,
         "digest": "sha256:c3bf30de4663b60dff3867111704dbad8a7304765019ac5d5b1bec250df62015"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 909,
         "digest": "sha256:24a81ab009300f02105cfe670684f95f7b48f1ade8c8c705b6d07f1767d79687"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 1488,
         "digest": "sha256:a95ff826fe0350d6864dbf9767774c78481aa3d05c0393ba53730c1277ab8692"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 4646842,
         "digest": "sha256:7fca8dac58bd58eab9d1d238fdc4b3caef4ab00bd33f013722871e675bfcaa06"
      },
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 909,
         "digest": "sha256:6dd9a4f6921c956557eee5345108e9253d3f8dbc3d973472c88d0afdfdba3294"
      }
   ]
}

	Digest: sha256:96526aa774ef0126ad0fe9e9a95764c5fc37f409ab9e97021e7b4775d82bf6fa Command: /bin/sh -c #(nop) ADD file:756183bba9c7f4593c2b216e98e4208b9163c4c962ea0837ef88bd917609d001 in /	3.2 MB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: /bin/sh -c #(nop) CMD ["/bin/sh"]	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV LANG=C.UTF-8	32 bytes
	Digest: sha256:430548f4d4bf7cdf8dc1e14a535a6ae863ecace3300d9f2b84ced5df27d88721 Command: RUN /bin/sh -c set -eux; apk add --no-cache ca-certificates tzdata ; # buildkit	607.7 KB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PYTHON_VERSION=3.11.6	32 bytes
	Digest: sha256:9ae8a48eae0348021298d595580e3bc544c4d77b1f60f0e6a1774c93bfa64515 Command: RUN /bin/sh -c set -eux; apk add --no-cache --virtual .build-deps gnupg tar xz bluez-dev bzip2-dev dpkg-dev dpkg expat-dev findutils gcc gdbm-dev libc-dev libffi-dev libnsl-dev libtirpc-dev linux-headers make ncurses-dev openssl-dev pax-utils readline-dev sqlite-dev tcl-dev tk tk-dev util-linux-dev xz-dev zlib-dev ; wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]}/Python-$PYTHON_VERSION.tar.xz"; wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]}/Python-$PYTHON_VERSION.tar.xz.asc"; GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; gpg --batch --verify python.tar.xz.asc python.tar.xz; gpgconf --kill all; rm -rf "$GNUPGHOME" python.tar.xz.asc; mkdir -p /usr/src/python; tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; rm python.tar.xz; cd /usr/src/python; gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; ./configure --build="$gnuArch" --enable-loadable-sqlite-extensions --enable-optimizations --enable-option-checking=fatal --enable-shared --with-lto --with-system-expat --without-ensurepip ; nproc="$(nproc)"; EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000"; LDFLAGS="${LDFLAGS:--Wl},--strip-all"; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:-}" "PROFILE_TASK=${PROFILE_TASK:-}" ; rm python; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:--Wl},-rpath='\$\$ORIGIN/../lib'" "PROFILE_TASK=${PROFILE_TASK:-}" python ; make install; cd /; rm -rf /usr/src/python; find /usr/local -depth $ \( -type d -a \( -name test -o -name tests -o -name idle_test $ \) -o $ -type f -a \( -name '.pyc' -o -name '.pyo' -o -name 'libpython.a' $ \) \) -exec rm -rf '{}' + ; find /usr/local -type f -executable -not $ -name 'tkinter*' $ -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \| tr ',' '\n' \| sort -u \| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \| xargs -rt apk add --no-network --virtual .python-rundeps ; apk del --no-network .build-deps; python3 --version # buildkit	12.3 MB
	Digest: sha256:2d30bba99930234541d0f4a894c86eeabafd1aa045421eef4fcc18509305fec8 Command: RUN /bin/sh -c set -eux; for src in idle3 pydoc3 python3 python3-config; do dst="$(echo "$src" \| tr -d 3)"; [ -s "/usr/local/bin/$src" ]; [ ! -e "/usr/local/bin/$dst" ]; ln -svT "$src" "/usr/local/bin/$dst"; done # buildkit	240 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PYTHON_PIP_VERSION=23.2.1	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PYTHON_SETUPTOOLS_VERSION=65.5.1	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/c6add47b0abf67511cdfb4734771cbab403af062/public/get-pip.py	32 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: ENV PYTHON_GET_PIP_SHA256=22b849a10f86f5ddf7ce148ca2a31214504ee6c83ef626840fde6e5dcd809d11	32 bytes
	Digest: sha256:3d288dfecc47052f2f766d9f21ead2cb7370bae50fed29ad2e4dbf46d0d572b7 Command: RUN /bin/sh -c set -eux; wget -O get-pip.py "$PYTHON_GET_PIP_URL"; echo "$PYTHON_GET_PIP_SHA256 *get-pip.py" \| sha256sum -c -; export PYTHONDONTWRITEBYTECODE=1; python get-pip.py --disable-pip-version-check --no-cache-dir --no-compile "pip==$PYTHON_PIP_VERSION" "setuptools==$PYTHON_SETUPTOOLS_VERSION" ; rm -f get-pip.py; pip --version # buildkit	3.0 MB
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: CMD ["python3"]	32 bytes
	Digest: sha256:0baca218625892a3dbb7b079c5e05644a8825104f7def39b94417eb9e5b7a0d1 Command: /bin/sh -c apk add --no-cache git less	4.8 MB
	Digest: sha256:280382a926400435fae55474d2e8bda714fc3279613250729b25cd79650a6fbc Command: /bin/sh -c pip install gitdb2==3.0.0 truffleHog==2.2.1	5.5 MB
	Digest: sha256:c3bf30de4663b60dff3867111704dbad8a7304765019ac5d5b1bec250df62015 Command: /bin/sh -c apk upgrade expat	1.8 MB
	Digest: sha256:24a81ab009300f02105cfe670684f95f7b48f1ade8c8c705b6d07f1767d79687 Command: /bin/sh -c #(nop) COPY file:912eb83db77aaf6caccb13f8a2591f99a4c6ab0b2d05df68cef94a84b353376b in /entrypoint.sh	909 bytes
	Digest: sha256:a95ff826fe0350d6864dbf9767774c78481aa3d05c0393ba53730c1277ab8692 Command: /bin/sh -c #(nop) COPY file:8cd58e7bb66a3a940323b5c6ecdabad9548ee71afb7efec631f3c22d869e8b6a in /regex.json	1.5 KB
	Digest: sha256:7fca8dac58bd58eab9d1d238fdc4b3caef4ab00bd33f013722871e675bfcaa06 Command: /bin/sh -c #(nop) COPY file:89eab4c1897dd3e64e5c0467069fd2dadc697eefd898d0eaf518d0428be16b2c in /bin/git-credential-myob	4.4 MB
	Digest: sha256:6dd9a4f6921c956557eee5345108e9253d3f8dbc3d973472c88d0afdfdba3294 Command: /bin/sh -c chmod +x /entrypoint.sh	909 bytes
	Digest: sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 Command: /bin/sh -c #(nop) ENTRYPOINT ["/entrypoint.sh"]	32 bytes

trufflehog e3a474fd3b44cb64314267203293eb342528c34…	image amd64 linux 19f8b84301b10221132… 42.3 MB — 8 months, 1 week ago	1
trufflehog dbd3c981f929f58bc7d508cb9361b360085cc4d…	image amd64 linux 038f56f0a9a024d5fa1… 42.3 MB — 8 months, 1 week ago	1
trufflehog 8dc11cf78f5cad39708ea6bd29a9edf9c998a8e…	image amd64 linux d4e3958e862b97cf110… 42.3 MB — 8 months, 1 week ago	0
trufflehog 7dc481950b27e7e7466b710c1cb504cfc0d88d4…	image amd64 linux latest 42.3 MB — 10 months ago	39271
trufflehog 3568c89c024ac974a3e9abdeb7654ecfee61e20…	image amd64 linux 42.3 MB — 10 months ago	0
trufflehog cf3090e32883c24e14209b6638aa7c614858d71…	image amd64 linux 46102e0e78b1189aba1… 42.3 MB — 10 months ago	0
trufflehog 846a4b4fe329209770e8b7127bfae86418b322a…	image amd64 linux 6a0e4f691d5346c1bb3… 108.4 MB — 10 months ago	0
trufflehog 502dbf8e9ceb4fa08388ea7fdededa028642d52…	image amd64 linux 4c2bbf733f27e3acee5… 39.2 MB — 10 months ago	0
trufflehog a59128c97d044f6e03004f45f8ef7caa1a18c5b…	image amd64 linux 19c4d2f6678cacdc28e… 39.2 MB — 1 year ago	0
trufflehog dee383798f60a930333da09b5d90a2f46a9ef4a…	image amd64 linux 956ef85e2ce66273544… 38.5 MB — 1 year ago	0
trufflehog 1174e804b216d3279f10e3725748f5c53eac5ab…	image amd64 linux 0d8a928c5595ccc5aa4… 38.5 MB — 1 year ago	0
trufflehog 70315e5910f629da5f152cc34e9996eee67da94…	image amd64 linux ee383c5b98096d89ee5… 38.5 MB — 1 year ago	0
trufflehog f15757d9516bc0a7ed34f4ffea1a3ab6984d51c…	image amd64 linux 3d6754c6ba88531ba7f… 38.5 MB — 1 year, 1 month ago	15538
trufflehog 854c45dd9bc901405206ad319ec685164cde793…	image amd64 linux 0ab211a9f0c3f7bd3c0… 38.5 MB — 1 year, 1 month ago	0
trufflehog 7ab713e713c2508c290c7be09ff7e865813743f…	image amd64 linux 0526b281abaf386ae40… 38.2 MB — 1 year, 1 month ago	0
trufflehog aab42c3ff28fe11831ccd5a84736df770769e7e…	image amd64 linux 2c5599db012c5a631e7… 38.5 MB — 1 year, 1 month ago	0
trufflehog 7f8bae9fe573d0b590d25c66c501b9058944ef4…	image amd64 linux f2608c331a60ae6e1b4… 39.7 MB — 1 year, 1 month ago	1
trufflehog 8dc6bc1a1283f9ff6f196e418e6eae6b78c8610…	image amd64 linux 2cef68c479766201741… 39.7 MB — 1 year, 1 month ago	0
trufflehog a940d1ed5842e7b281dc0dfa54ea7aa992a8312…	image amd64 linux b5731b499c6d842fe00… 21028a72563441c169c… 39.7 MB — 1 year, 1 month ago	2
trufflehog 0ef3c29311c8a9cdabc3ae4bc2ce3aff3552841…	image amd64 linux 5db7cd6f4e56c0f142f… 35.6 MB — 1 year, 6 months ago	36

Only packages within the same repository are displayed. The current package you're viewing is highlighted.

Last scanned

1 year, 6 months ago

Scan result

Vulnerable

Vulnerability count

Max. severity

Critical

Target:	. (alpine 3.18.4)
HIGH	CVE-2023-5363: openssl: Incorrect cipher key and IV length processing Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. Package Name: libcrypto3 Installed Version: 3.1.3-r0 Fixed Version: 3.1.4-r0 References: www.openwall.com access.redhat.com cve.mitre.org git.openssl.org git.openssl.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.debian.org www.openssl.org
HIGH	CVE-2023-5363: openssl: Incorrect cipher key and IV length processing Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. Package Name: libssl3 Installed Version: 3.1.3-r0 Fixed Version: 3.1.4-r0 References: www.openwall.com access.redhat.com cve.mitre.org git.openssl.org git.openssl.org nvd.nist.gov security.netapp.com ubuntu.com www.cve.org www.debian.org www.openssl.org
MEDIUM	CVE-2023-5678: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. Package Name: libcrypto3 Installed Version: 3.1.3-r0 Fixed Version: 3.1.4-r1 References: access.redhat.com cve.mitre.org git.openssl.org git.openssl.org git.openssl.org git.openssl.org nvd.nist.gov www.cve.org www.openssl.org
MEDIUM	CVE-2023-5678: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. Package Name: libssl3 Installed Version: 3.1.3-r0 Fixed Version: 3.1.4-r1 References: access.redhat.com cve.mitre.org git.openssl.org git.openssl.org git.openssl.org git.openssl.org nvd.nist.gov www.cve.org www.openssl.org
Target:	Python
CRITICAL	CVE-2023-40267: Insecure non-multi options in clone and clone_from is not blocked GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.32 References: access.redhat.com cve.mitre.org github.com github.com github.com github.com github.com github.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com www.cve.org
HIGH	CVE-2022-24439: improper user input validation leads into a RCE All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.30 References: access.redhat.com cve.mitre.org github.com github.com github.com github.com github.com github.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org security.snyk.io ubuntu.com www.cve.org
HIGH	CVE-2023-40590: improper executable lookup on windows GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like `C:\\Program Files\\Git\\cmd\\git.EXE` (default git path installation). 2: Require users to set the `GIT_PYTHON_GIT_EXECUTABLE` environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the `GIT_PYTHON_GIT_EXECUTABLE` env var to an absolute path. 4: Resolve the executable manually by only looking into the `PATH` environment variable. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.33 References: access.redhat.com docs.python.org github.com github.com github.com github.com github.com github.com github.com nvd.nist.gov www.cve.org
MEDIUM	CVE-2023-41040: GitPython: Blind local file inclusion GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed. Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.37 References: access.redhat.com github.com github.com github.com github.com github.com github.com github.com lists.debian.org nvd.nist.gov www.cve.org
MEDIUM	CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install ... When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call (ie "--config"). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial. Package Name: pip Installed Version: 23.2.1 Fixed Version: 23.3 References: github.com github.com github.com github.com mail.python.org nvd.nist.gov

These instructions assume you have setup the repository first (or read it).

To pull trufflehog @ reference/tag 5db7cd6f4e56c0f142f83a07d2e62cfd2a327107:

docker pull docker.myob.com/appsec/trufflehog:5db7cd6f4e56c0f142f83a07d2e62cfd2a327107

You can also pull the latest version of this image (if it exists):

docker pull docker.myob.com/appsec/trufflehog:latest

To refer to this image after pulling in a Dockerfile, specify the following:

FROM docker.myob.com/appsec/trufflehog:5db7cd6f4e56c0f142f83a07d2e62cfd2a327107

Still stuck? Need help? Don't panic. Just contact us for help (even if you're not a customer).

Previous Version

Next Version: a940d1ed5842e7b281d…

trufflehog 0ef3c29311c8a9cdabc3ae4bc2c…

One-liner (summary)

Description

License

Size

Downloads

Tags

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

trufflehog

Last scanned

Scan result

Vulnerability count

Max. severity

CVE-2023-5363: openssl: Incorrect cipher key and IV length processing

CVE-2023-5363: openssl: Incorrect cipher key and IV length processing

CVE-2023-5678: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow

CVE-2023-5678: openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow

CVE-2023-40267: Insecure non-multi options in clone and clone_from is not blocked

CVE-2022-24439: improper user input validation leads into a RCE

CVE-2023-40590: improper executable lookup on windows

CVE-2023-41040: GitPython: Blind local file inclusion

CVE-2023-5752: When installing a package from a Mercurial VCS URL (ie "pip install ...