Created
January 30, 2026 09:53
-
-
Save amouat/bd299b4210dd2893741ac67e1eac3a38 to your computer and use it in GitHub Desktop.
VEX document for dhi.io/golang:1.23. Retrieved with `docker scout vex get registry://dhi.io/golang:1.23@sha256:31398e476325627a94bf3c45dd5134f2d891b1456b36bf77b69179a0a0c7c04c --output golang-vex.json`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "@context": "https://openvex.dev/ns/v0.2.0", | |
| "@id": "https://scout.docker.com/public/vex-2dbb10b9033b03376bf51603d76371006be87fbbaf30c8be721aa2c778e36dff", | |
| "author": "Docker Hardened Images \[email protected]\u003e", | |
| "role": "Document Creator", | |
| "version": 1, | |
| "tooling": "Docker Scout", | |
| "statements": [ | |
| { | |
| "@id": "88bffcd1-7214-4ab5-829b-79e5fd46b1d1", | |
| "vulnerability": { | |
| "name": "CVE-2005-2541" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdfsg-1.2%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdfsg-1.2%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/tar" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/tar" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:37:02Z" | |
| }, | |
| { | |
| "@id": "fce22c3d-a935-45bb-8bda-04bdaa5fa0f7", | |
| "vulnerability": { | |
| "name": "CVE-2010-0928" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]~deb12u2?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]~deb12u2?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libssl3" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libssl3" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Fault injection based attacks are not within OpenSSLs threat model according to the security policy and this CVE is not treated as security bug by upstream: https://www.openssl.org/policies/general/security-policy.html", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:36:25Z" | |
| }, | |
| { | |
| "@id": "bcfc62d9-f5ea-416e-bf1b-54b9f34c3aad", | |
| "vulnerability": { | |
| "name": "CVE-2010-4756" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Standard POSIX behavior in glibc. Applications using glob need to impose limits themselves. Requires authenticated access and is considered unimportant by Debian.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:15Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2016-2781", | |
| "vulnerability": { | |
| "name": "CVE-2016-2781" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2016-2781", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:46:31Z" | |
| }, | |
| { | |
| "@id": "36146254-dfa4-43cc-8024-b27bd7646b8b", | |
| "vulnerability": { | |
| "name": "CVE-2016-2781" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE requires chroot with --userspec option, which is rarely used in container environments. The vulnerable code path cannot be reached in typical container usage patterns.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-27T16:09:50Z" | |
| }, | |
| { | |
| "@id": "01d51ca9-3558-492b-9738-38987e7941f6", | |
| "vulnerability": { | |
| "name": "CVE-2016-2781" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE requires chroot with --userspec option, which is rarely used in container environments. The vulnerable code path cannot be reached in typical container usage patterns.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-27T16:10:16Z" | |
| }, | |
| { | |
| "@id": "6f1bfb73-2c41-423a-81d6-67c401b7a1fb", | |
| "vulnerability": { | |
| "name": "CVE-2017-18018" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE is not treated as security issue by upstream and reflects intended behavior of the chown program.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:27:44Z" | |
| }, | |
| { | |
| "@id": "84055870-5e7f-49e1-9c4e-7ee89500a35c", | |
| "vulnerability": { | |
| "name": "CVE-2018-20796" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Not treated as vulnerability by upstream glibc. Listed under glibc Security Exceptions.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:16Z" | |
| }, | |
| { | |
| "@id": "6e4c9d0e-07a7-4977-a116-f931a1127c04", | |
| "vulnerability": { | |
| "name": "CVE-2019-1010022" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Classified as non-security bug by upstream. Stack guard protection bypass is considered unimportant.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:18Z" | |
| }, | |
| { | |
| "@id": "e10e6784-64a0-4203-ba88-3db6603873f9", | |
| "vulnerability": { | |
| "name": "CVE-2019-1010023" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Requires user to explicitly run ldd on malicious ELF files. Classified as non-security bug by upstream.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:19Z" | |
| }, | |
| { | |
| "@id": "8f76fd2d-7c0b-47e9-b59b-a6b9b0b1b184", | |
| "vulnerability": { | |
| "name": "CVE-2019-1010024" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "ASLR bypass using thread stack and heap cache. Not treated as security bug by upstream.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:21Z" | |
| }, | |
| { | |
| "@id": "2a64490a-d9f6-4f42-926a-044e6b5ea9b2", | |
| "vulnerability": { | |
| "name": "CVE-2019-1010025" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "ASLR bypass for pthread_created thread heap addresses. Vendor states ASLR bypass itself is not a vulnerability.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:22Z" | |
| }, | |
| { | |
| "@id": "338fd8ef-9565-4616-8bfd-d3b184e68ef3", | |
| "vulnerability": { | |
| "name": "CVE-2019-9192" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Uncontrolled recursion in regex processing. Maintainer disputes this as a vulnerability as it only occurs with crafted patterns.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:25Z" | |
| }, | |
| { | |
| "@id": "be80d6b1-ac48-4a80-b3c3-1bc69996398f", | |
| "vulnerability": { | |
| "name": "CVE-2022-27943" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/gcc-12-base" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libgcc-s1" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/gcc-12" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/gcc-12-base" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libgcc-s1" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/gcc-12" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE affects the RUST demangler, which is not in this context. Additionally the issue has negligible security impact.", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "timestamp": "2025-08-05T20:34:55Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2023-45853", | |
| "vulnerability": { | |
| "name": "CVE-2023-45853" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/zlib@1%3A1.2.13.dfsg-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/zlib@1%3A1.2.13.dfsg-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/zlib1g" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/zlib" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/zlib1g" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/zlib" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2023-45853", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:48:03Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2023-45918", | |
| "vulnerability": { | |
| "name": "CVE-2023-45918" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2023-45918", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-03-12T14:55:43Z" | |
| }, | |
| { | |
| "@id": "5276139e-2d86-4e65-915f-150658829cb1", | |
| "vulnerability": { | |
| "name": "CVE-2023-45927" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libslang2" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libslang2" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "The upstream package maintainers have confirmed that this is not a vulnerability but rather an unimporant bug with negligible security impact.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:36:50Z" | |
| }, | |
| { | |
| "@id": "b3e9f92e-e974-48cf-abaa-64a62656d39a", | |
| "vulnerability": { | |
| "name": "CVE-2023-45929" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libslang2" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libslang2" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "The upstream package maintainers have confirmed that this is not a vulnerability but rather an unimporant bug with negligible security impact.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:36:48Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2023-50495", | |
| "vulnerability": { | |
| "name": "CVE-2023-50495" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2023-50495", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:48:08Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2025-15281", | |
| "vulnerability": { | |
| "name": "CVE-2025-15281" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2025-15281", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-29T17:10:11Z" | |
| }, | |
| { | |
| "@id": "701b6f97-40e8-4650-ad9a-d93a17e9b387", | |
| "vulnerability": { | |
| "name": "CVE-2025-27587" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]~deb12u2?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]~deb12u2?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libssl3" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libssl3" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE is only affecting installation on PowerPC architecture and even then is this CVE disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:36:27Z" | |
| }, | |
| { | |
| "@id": "7f2b54b6-4614-4a3e-a70e-9ef4cec4fa8f", | |
| "vulnerability": { | |
| "name": "CVE-2025-45582" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdfsg-1.2%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdfsg-1.2%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/tar" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/tar" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Disputed by upstream as it is documented behaviour; see https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:37:04Z" | |
| }, | |
| { | |
| "@id": "b12e79fa-b869-4407-8f0d-84d444c26943", | |
| "vulnerability": { | |
| "name": "CVE-2025-4802" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "The only viable vector for exploitation of this bug is local, if a static setuid program exists, and that program calls dlopen, then it may search LD_LIBRARY_PATH to locate the SONAME to load. No such program is present in the container image .", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:26Z" | |
| }, | |
| { | |
| "@id": "9f601e56-75cb-4b0e-8637-63cfd0e81610", | |
| "vulnerability": { | |
| "name": "CVE-2025-5278" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE is not treated as security issue by upstream; just a crash in a CLI tool.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:27:59Z" | |
| }, | |
| { | |
| "@id": "b8f5f402-2d39-4e01-b7f7-31f19a85b2ee", | |
| "vulnerability": { | |
| "name": "CVE-2025-6141" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "under_investigation", | |
| "impact_statement": "Waiting for upstream fix release", | |
| "timestamp": "2025-08-05T20:36:14Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2025-6141", | |
| "vulnerability": { | |
| "name": "CVE-2025-6141" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2025-6141", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:50:12Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2025-6297", | |
| "vulnerability": { | |
| "name": "CVE-2025-6297" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/dpkg" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/dpkg" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2025-6297", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:50:13Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2026-0861", | |
| "vulnerability": { | |
| "name": "CVE-2026-0861" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2026-0861", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-29T17:10:12Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2026-0915", | |
| "vulnerability": { | |
| "name": "CVE-2026-0915" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/[email protected]%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2026-0915", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-29T17:10:12Z" | |
| } | |
| ], | |
| "timestamp": "2025-03-12T14:55:43Z", | |
| "last_updated": "2026-01-29T17:10:12Z" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment