You can use boolean logic (e.g. AND/OR/NOT) for complex search queries. For more help and examples, see the search documentation.
Search by package name:
my-package (implicit)
name:my-package (explicit)
Search by package filename:
my-package.ext (implicit)
filename:my-package.ext (explicit)
Search by package tag:
latest (implicit)
tag:latest (explicit)
Search by package version:
1.0.0 (implicit)
version:1.0.0 (explicit)
prerelease:true (prereleases)
prerelease:false (no prereleases)
Search by package architecture:
architecture:x86_64
Search by package distribution:
distribution:el
Search by package license:
license:MIT
Search by package format:
format:deb
Search by package status:
status:in_progress
Search by package file checksum:
checksum:5afba
Search by package security status:
severity:critical
Search by package vulnerabilities:
vulnerabilities:>1
vulnerabilities:<1000
Search by # of package downloads:
downloads:>8
downloads:<100
Search by package type:
type:binary
type:source
Search by package size (bytes):
size:>50000
size:<10000
Search by dependency name/version:
dependency:log4j
dependency:log4j=1.0.0
dependency:log4j>1.0.0
Search by uploaded date:
uploaded:>"1 day ago"
uploaded:<"August 14, 2022 EST"
Search by entitlement token (identifier):
entitlement:3lKPVJPosCsY
Search by policy violation:
policy_violated:true
deny_policy_violated:true
license_policy_violated:true
vulnerability_policy_violated:true
Search by repository:
repository:repo-name
Search queries for all Debian-specific (and related) package types
Search by component:
deb_component:unstable
Search queries for all Maven-specific (and related) package types
Search by group ID:
maven_group_id:org.apache
Search queries for all Docker-specific (and related) package types
Search by image digest:
docker_image_digest:sha256:7c5..6d4
(full hashref only)
Search by layer digest:
docker_layer_digest:sha256:4c4..ae4
(full hashref only)
Field type modifiers (depending on the type, you can influence behaviour)
For all queries, you can use:
~foo for negation
For string queries, you can use:
^foo to anchor to start of term
foo$ to anchor to end of term
foo*bar for fuzzy matching
For number/date or version queries, you can use:
>foo for values greater than
>=foo for values greater / equal
<foo for values less than
<=foo for values less / equal
Need a secure and centralised artifact repository to deliver Alpine,
Cargo,
CocoaPods,
Composer,
Conan,
Conda,
CRAN,
Dart,
Debian,
Docker,
Go,
Helm,
Hex,
LuaRocks,
Maven,
npm,
NuGet,
P2,
Python,
RedHat,
Ruby,
Swift,
Terraform,
Vagrant,
Raw & More packages?
Cloudsmith is the new standard in Package / Artifact Management and Software Distribution.
With support for all major package formats, you can trust us to manage your software supply chain.
myob
trufflehog
7dc481950b27e7e7466b710c1cb…
One-liner (summary)
Description
| Status | Completed |
|---|---|
| Checksum (MD5) | 97f324aaf8be68ae667ef3858d9ad145 |
| Checksum (SHA-1) | 188835d3568f61d8dadd76067bb13adfa7f51e46 |
| Checksum (SHA-256) | 7dc481950b27e7e7466b710c1cb504cfc0d88d453acca6b46b221303263e438b |
| Checksum (SHA-512) | a95b01dbeeaea1a88f0e5e8bd6a0097bda11c08c382c08a4378d5f65d5c4a0f7fb… |
| GPG Signature | |
| GPG Fingerprint | b37cb02108d5d7b2c7269a09acf5c48b429db520 |
| Storage Region | Dublin, Ireland |
| Type | Binary (contains binaries and binary artifacts) |
| Uploaded At | 8 months, 4 weeks ago |
| Uploaded By |
|
| Slug Id | trufflehog-gjnl |
| Unique Id | z2HHQcfZmjxs |
| Version (Raw) | 7dc481950b27e7e7466b710c1cb504cfc0d88d453acca6b46b221303263e438b |
| Version (Parsed) |
|
| docker-specific metadata | |
| Image Digest | sha256:7dc481950b27e7e7466b710c1cb504cfc0d88d453acca6b46b221303263e438b |
| Config Digest | sha256:9046dc01405190d295b78bc22e8084e36ffd20ea4bba7df24e9f0ea87a8d9cef |
| V1 OCI Index Digest | sha256:1e1eb071a29190dbac46aa0b87576b1405be3ab7a50a69de040fa57c45badeaa |
| V1 Distribution (Signed) Digest | sha256:b6287d686bd31ee1689ac58e1a7b8cec1e4007f7abda4f06d0a549863ebeae8b |
| V1 OCI Digest | sha256:848afe6557204e8c70279c98ed5e188dc1bfdb2cbad4befd652436cf764f932d |
| V2 Distribution List Digest | sha256:b256b9227be472c4ce312d87f9c70bf5a6de6f15ebad3336ac87850d37e01692 |
| V1 Distribution Digest | sha256:f72236d027e9be12b38aaa202f6d26d29e9eb8a302b0c1e3aa9d044a2498c3bb |
| V2 Distribution Digest | sha256:7dc481950b27e7e7466b710c1cb504cfc0d88d453acca6b46b221303263e438b |
| extended metadata | |
| Manifest Type | V2 Distribution |
| Architecture | amd64 |
| Config | |
| Created | 2024-08-08 04:37:22 UTC |
| Os | linux |
This package was uploaded with the following V2 Distribution manifest:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 9339,
"digest": "sha256:9505b9d4193e8a1622be24645caee6377c5528663a1097912dc9d269622ca992"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 3622892,
"digest": "sha256:c6a83fedfae6ed8a4f5f7cbb6a7b6f1c1ec3d86fea8cb9e5ba2e5e6673fde9f6"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 461810,
"digest": "sha256:b9dc4119f2ec8172c585e3a6b9dd1dead61612cab2ebab820703fd122a07129b"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 12672294,
"digest": "sha256:545d94f91829cfc9031a9578cf5a2238f285cc0f2e04203dd32613f2a55cfeb6"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 230,
"digest": "sha256:4271f5ef1d3946e791b3cf6b9748767d9c8a5a299fc0ddc3d0dffcc2bec5b52c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 3129972,
"digest": "sha256:780f71a8607261eb6b1fea0f26d806767a3730696c0ff0a99ca4fad403c01839"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 5928282,
"digest": "sha256:4c3bda3dbbb239ff2c137725b75016f2088a294556b2f655f6a7613259addab8"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 8930431,
"digest": "sha256:b597a65fa726cd86c73b2edbf4f0e1037bb7babc0d885d23888eab55e41cc724"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 454,
"digest": "sha256:0afd092c5619e943c534ebf9ac2725c839bc11f43532d0509793d8dcadaf362e"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 995,
"digest": "sha256:920fba03bcd7cf2607d6c28565706bf3eb858ecc76b3fe4229c637dba4da3759"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 934,
"digest": "sha256:5021a8d28837022e85473a9019be6aa171959a894a917afe4e059ac823320f64"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1478,
"digest": "sha256:93181afcbb40efd4b97f70c4998c50e55ebc5e663cfbd25385ec86ded3fe6a4e"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 4784864,
"digest": "sha256:a6616e5847dd2dcb9f64b276830e1c6088dae3636326c8bd9e30d67bea8ddafc"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 964,
"digest": "sha256:1c4f025ed5501e12002be9b6b3f765bdab12eb7e8b88db5dad1bb1fc16c6204c"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 4784930,
"digest": "sha256:6dc9b39a5f893ed480e569f32bc6c504ec9a0ec7a7022b60a26c832930a19d0a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 964,
"digest": "sha256:91f1377606c74d5118330ed973e58e2f6510111bc951c504e2b6814a3ff7ef49"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 162,
"digest": "sha256:0b7b5ec052c10885d1635cb6521add546b8212f9a14a3eae990594b4576fd7c4"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 141,
"digest": "sha256:919ae50e56eaaa3d82e0c5b6ba93238b65e5dddde0ab3f2aaed2e7cc78119d54"
}
]
}|
Digest:
sha256:c6a83fedfae6ed8a4f5f7cbb6a7b6f1c1ec3d86fea8cb9e5ba2e5e6673fde9f6
Command: /bin/sh -c #(nop) ADD file:99093095d62d0421541d882f9ceeddb2981fe701ec0aa9d2c08480712d5fed21 in / |
3.5 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: /bin/sh -c #(nop) CMD ["/bin/sh"] |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV LANG=C.UTF-8 |
32 bytes | ||
|
Digest:
sha256:b9dc4119f2ec8172c585e3a6b9dd1dead61612cab2ebab820703fd122a07129b
Command: RUN /bin/sh -c set -eux; apk add --no-cache ca-certificates tzdata ; # buildkit |
451.0 KB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_VERSION=3.11.9 |
32 bytes | ||
|
Digest:
sha256:545d94f91829cfc9031a9578cf5a2238f285cc0f2e04203dd32613f2a55cfeb6
Command: RUN /bin/sh -c set -eux; apk add --no-cache --virtual .build-deps gnupg tar xz bluez-dev bzip2-dev dpkg-dev dpkg expat-dev findutils gcc gdbm-dev libc-dev libffi-dev libnsl-dev libtirpc-dev linux-headers make ncurses-dev openssl-dev pax-utils readline-dev sqlite-dev tcl-dev tk tk-dev util-linux-dev xz-dev zlib-dev ; wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; gpg --batch --verify python.tar.xz.asc python.tar.xz; gpgconf --kill all; rm -rf "$GNUPGHOME" python.tar.xz.asc; mkdir -p /usr/src/python; tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; rm python.tar.xz; cd /usr/src/python; gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; ./configure --build="$gnuArch" --enable-loadable-sqlite-extensions $(test "$gnuArch" != 'riscv64-linux-musl' && echo '--enable-optimizations') --enable-option-checking=fatal --enable-shared --with-lto --with-system-expat --without-ensurepip ; nproc="$(nproc)"; EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x100000"; LDFLAGS="${LDFLAGS:--Wl},--strip-all"; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:-}" "PROFILE_TASK=${PROFILE_TASK:-}" ; rm python; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:--Wl},-rpath='\$\$ORIGIN/../lib'" "PROFILE_TASK=${PROFILE_TASK:-}" python ; make install; cd /; rm -rf /usr/src/python; find /usr/local -depth \( \( -type d -a \( -name test -o -name tests -o -name idle_test \) \) -o \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name 'libpython*.a' \) \) \) -exec rm -rf '{}' + ; find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' | tr ',' '\n' | sort -u | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' | xargs -rt apk add --no-network --virtual .python-rundeps ; apk del --no-network .build-deps; python3 --version # buildkit |
12.1 MB | ||
|
Digest:
sha256:4271f5ef1d3946e791b3cf6b9748767d9c8a5a299fc0ddc3d0dffcc2bec5b52c
Command: RUN /bin/sh -c set -eux; for src in idle3 pydoc3 python3 python3-config; do dst="$(echo "$src" | tr -d 3)"; [ -s "/usr/local/bin/$src" ]; [ ! -e "/usr/local/bin/$dst" ]; ln -svT "$src" "/usr/local/bin/$dst"; done # buildkit |
230 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_PIP_VERSION=24.0 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_SETUPTOOLS_VERSION=65.5.1 |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/66d8a0f637083e2c3ddffc0cb1e65ce126afb856/public/get-pip.py |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENV PYTHON_GET_PIP_SHA256=6fb7b781206356f45ad79efbb19322caa6c2a5ad39092d0d44d0fec94117e118 |
32 bytes | ||
|
Digest:
sha256:780f71a8607261eb6b1fea0f26d806767a3730696c0ff0a99ca4fad403c01839
Command: RUN /bin/sh -c set -eux; wget -O get-pip.py "$PYTHON_GET_PIP_URL"; echo "$PYTHON_GET_PIP_SHA256 *get-pip.py" | sha256sum -c -; export PYTHONDONTWRITEBYTECODE=1; python get-pip.py --disable-pip-version-check --no-cache-dir --no-compile "pip==$PYTHON_PIP_VERSION" "setuptools==$PYTHON_SETUPTOOLS_VERSION" ; rm -f get-pip.py; pip --version # buildkit |
3.0 MB | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: CMD ["python3"] |
32 bytes | ||
|
Digest:
sha256:4c3bda3dbbb239ff2c137725b75016f2088a294556b2f655f6a7613259addab8
Command: RUN /bin/sh -c apk add --no-cache git less # buildkit |
5.7 MB | ||
|
Digest:
sha256:b597a65fa726cd86c73b2edbf4f0e1037bb7babc0d885d23888eab55e41cc724
Command: RUN /bin/sh -c pip install gitdb2==3.0.0 truffleHog==2.2.1 setuptools[core]==70.0.0 # buildkit |
8.5 MB | ||
|
Digest:
sha256:0afd092c5619e943c534ebf9ac2725c839bc11f43532d0509793d8dcadaf362e
Command: RUN /bin/sh -c addgroup -S nonroot # buildkit |
454 bytes | ||
|
Digest:
sha256:920fba03bcd7cf2607d6c28565706bf3eb858ecc76b3fe4229c637dba4da3759
Command: RUN /bin/sh -c adduser -D -G nonroot nonroot # buildkit |
995 bytes | ||
|
Digest:
sha256:5021a8d28837022e85473a9019be6aa171959a894a917afe4e059ac823320f64
Command: COPY entrypoint.sh /entrypoint.sh # buildkit |
934 bytes | ||
|
Digest:
sha256:93181afcbb40efd4b97f70c4998c50e55ebc5e663cfbd25385ec86ded3fe6a4e
Command: COPY regex.json /regex.json # buildkit |
1.4 KB | ||
|
Digest:
sha256:a6616e5847dd2dcb9f64b276830e1c6088dae3636326c8bd9e30d67bea8ddafc
Command: COPY /bin/git-credential-myob /bin/git-credential-myob # buildkit |
4.6 MB | ||
|
Digest:
sha256:1c4f025ed5501e12002be9b6b3f765bdab12eb7e8b88db5dad1bb1fc16c6204c
Command: RUN /bin/sh -c chmod +x /entrypoint.sh # buildkit |
964 bytes | ||
|
Digest:
sha256:6dc9b39a5f893ed480e569f32bc6c504ec9a0ec7a7022b60a26c832930a19d0a
Command: RUN /bin/sh -c chmod g+x /bin/git-credential-myob # buildkit |
4.6 MB | ||
|
Digest:
sha256:91f1377606c74d5118330ed973e58e2f6510111bc951c504e2b6814a3ff7ef49
Command: RUN /bin/sh -c chmod g+x /entrypoint.sh # buildkit |
964 bytes | ||
|
Digest:
sha256:0b7b5ec052c10885d1635cb6521add546b8212f9a14a3eae990594b4576fd7c4
Command: RUN /bin/sh -c mkdir /tmp/truffle # buildkit |
162 bytes | ||
|
Digest:
sha256:919ae50e56eaaa3d82e0c5b6ba93238b65e5dddde0ab3f2aaed2e7cc78119d54
Command: RUN /bin/sh -c chown -R nonroot:nonroot /tmp/truffle # buildkit |
141 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: USER nonroot |
32 bytes | ||
|
Digest:
sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
Command: ENTRYPOINT ["/entrypoint.sh"] |
32 bytes |
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
2 |
|
||
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
4 |
|
||
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
1 |
|
||
|
|
trufflehog |
138 |
|
||
|
|
trufflehog |
47125 |
|
||
|
|
trufflehog |
35166 |
|
||
|
|
trufflehog |
4 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
22 |
|
||
|
|
trufflehog |
0 |
|
||
|
|
trufflehog |
1 |
|
Last scanned
8 months, 4 weeks ago
Scan result
Vulnerable
Vulnerability count
6
Max. severity
Critical| Target: | Python | |
| CRITICAL |
CVE-2023-40267: GitPython: Insecure non-multi options in clone and clone_from is not blockedGitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.32 References: access.redhat.com github.com github.com github.com github.com github.com github.com lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov ubuntu.com www.cve.org |
|
| HIGH |
CVE-2022-24439: GitPython: improper user input validation leads into a RCEAll versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.30 References: access.redhat.com github.com github.com github.com github.com github.com github.com lists.debian.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org lists.fedoraproject.org nvd.nist.gov security.gentoo.org security.snyk.io ubuntu.com www.cve.org |
|
| HIGH |
CVE-2023-40590: gitpython: improper executable lookup on windowsGitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like `C:\\Program Files\\Git\\cmd\\git.EXE` (default git path installation). 2: Require users to set the `GIT_PYTHON_GIT_EXECUTABLE` environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the `GIT_PYTHON_GIT_EXECUTABLE` env var to an absolute path. 4: Resolve the executable manually by only looking into the `PATH` environment variable.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.33 References: access.redhat.com docs.python.org github.com github.com github.com github.com github.com github.com github.com nvd.nist.gov www.cve.org |
|
| HIGH |
CVE-2024-22190: Untrusted search path under some conditions on Windows allows arbitrary code executionGitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.41 References: github.com github.com github.com github.com github.com nvd.nist.gov |
|
| MEDIUM |
CVE-2023-41040: GitPython: Blind local file inclusionGitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.Package Name: GitPython Installed Version: 3.0.6 Fixed Version: 3.1.37 References: access.redhat.com github.com github.com github.com github.com github.com github.com github.com lists.debian.org nvd.nist.gov www.cve.org |
|
| Target: | bin/git-credential-myob | |
| MEDIUM |
CVE-2023-45288: golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoSAn attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.Package Name: golang.org/x/net Installed Version: v0.17.0 Fixed Version: 0.23.0 References: www.openwall.com www.openwall.com access.redhat.com access.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com bugzilla.redhat.com cve.mitre.org cve.mitre.org cve.mitre.org cve.mitre.org errata.almalinux.org errata.rockylinux.org go.dev go.dev groups.google.com kb.cert.org linux.oracle.com linux.oracle.com lists.fedoraproject.org lists.fedoraproject.org nowotarski.info nowotarski.info nvd.nist.gov pkg.go.dev security.netapp.com security.netapp.com ubuntu.com www.cve.org www.kb.cert.org |
|
These instructions assume you have setup the repository first (or read it).
To pull trufflehog @ reference/tag latest:
docker pull docker.myob.com/appsec/trufflehog:latestTo refer to this image after pulling in a Dockerfile, specify the following:
FROM docker.myob.com/appsec/trufflehog:latest