---
hide:
- toc
---
# Security Overview
## Helm-Chart
##### Scan Results
#### Chart Object: stash/templates/common.yaml
| Type | Misconfiguration ID | Check | Severity | Explaination | Links |
|:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------|
| Kubernetes Security Check | KSV001 | Process can elevate its own privileges | MEDIUM | Expand...
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.allowPrivilegeEscalation' to false Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'RELEASE-NAME-stash' of Deployment 'RELEASE-NAME-stash' should add 'ALL' to 'securityContext.capabilities.drop' Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
Expand...
The container should drop all default capabilities and add only those that are needed for its execution.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should add 'ALL' to 'securityContext.capabilities.drop' Expand...
https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
Expand...
Enforcing CPU limits prevents DoS via resource exhaustion.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'resources.limits.cpu' Expand...
https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv011
Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'RELEASE-NAME-stash' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsNonRoot' to true Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'autopermissions' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsNonRoot' to true Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
Expand...
'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsNonRoot' to true Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'autopermissions' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.readOnlyRootFilesystem' to true Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
Expand...
An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.readOnlyRootFilesystem' to true Expand...
https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
Expand...
When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'resources.requests.cpu' Expand...
https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits
https://avd.aquasec.com/appshield/ksv015
Expand...
When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'resources.requests.memory' Expand...
https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/appshield/ksv016
Expand...
Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.privileged' to false Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv017
Expand...
Enforcing memory limits prevents DoS via resource exhaustion.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'resources.limits.memory' Expand...
https://kubesec.io/basics/containers-resources-limits-memory/
https://avd.aquasec.com/appshield/ksv018
Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-stash' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsUser' > 10000 Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsUser' > 10000 Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
Expand...
Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsUser' > 10000 Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'RELEASE-NAME-stash' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsGroup' > 10000 Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'autopermissions' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsGroup' > 10000 Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
Expand...
Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.
Container 'hostpatch' of Deployment 'RELEASE-NAME-stash' should set 'securityContext.runAsGroup' > 10000 Expand...
https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
Expand...
HostPath volumes must be forbidden.
Deployment 'RELEASE-NAME-stash' should not set 'spec.template.volumes.hostPath' Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv023
Expand...
Containers should be forbidden from running with a root primary or supplementary GID.
Deployment 'RELEASE-NAME-stash' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0 Expand...
https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029
Expand...
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
Expand...
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
Expand...
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
Expand...
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
Expand...
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
Expand...
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
Expand...
https://access.redhat.com/security/cve/CVE-2021-44648
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44648
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/136
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEVTOGIJITK2N5AOOLKKMDIICZDQE6CH/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PEKBMOO52RXONWKB6ZKKHTVPLF6WC3KF/
https://sahildhar.github.io/blogpost/GdkPixbuf-Heap-Buffer-Overflow-in-lzw_decoder_new/
Expand...
https://access.redhat.com/security/cve/CVE-2022-0891
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0891
https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0891.json
https://gitlab.com/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c
https://gitlab.com/libtiff/libtiff/-/issues/380
https://gitlab.com/libtiff/libtiff/-/issues/382
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
https://nvd.nist.gov/vuln/detail/CVE-2022-0891
https://www.debian.org/security/2022/dsa-5108
Expand...
https://access.redhat.com/security/cve/CVE-2022-0561
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0561
https://gitlab.com/freedesktop-sdk/mirrors/gitlab/libtiff/libtiff/-/commit/eecb0712f4c3a5b449f70c57988260a667ddbdef
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0561.json
https://gitlab.com/libtiff/libtiff/-/issues/362
https://lists.debian.org/debian-lts-announce/2022/03/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZEHZ35XVO2VBZ4HHCMM6J6TQIDSBQOM/
https://nvd.nist.gov/vuln/detail/CVE-2022-0561
https://security.netapp.com/advisory/ntap-20220318-0001/
https://www.debian.org/security/2022/dsa-5108
Expand...
https://access.redhat.com/security/cve/CVE-2022-0562
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0562
https://gitlab.com/gitlab-org/build/omnibus-mirror/libtiff/-/commit/561599c99f987dc32ae110370cfdd7df7975586b
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0562.json
https://gitlab.com/libtiff/libtiff/-/issues/362
https://lists.debian.org/debian-lts-announce/2022/03/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZEHZ35XVO2VBZ4HHCMM6J6TQIDSBQOM/
https://nvd.nist.gov/vuln/detail/CVE-2022-0562
https://security.netapp.com/advisory/ntap-20220318-0001/
https://www.debian.org/security/2022/dsa-5108
Expand...
https://access.redhat.com/security/cve/CVE-2022-0865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0865
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0865.json
https://gitlab.com/libtiff/libtiff/-/commit/a1c933dabd0e1c54a412f3f84ae0aa58115c6067
https://gitlab.com/libtiff/libtiff/-/issues/385
https://gitlab.com/libtiff/libtiff/-/merge_requests/306
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
https://nvd.nist.gov/vuln/detail/CVE-2022-0865
https://www.debian.org/security/2022/dsa-5108
Expand...
https://access.redhat.com/security/cve/CVE-2022-0907
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0907.json
https://gitlab.com/libtiff/libtiff/-/issues/392
https://gitlab.com/libtiff/libtiff/-/merge_requests/314
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
https://nvd.nist.gov/vuln/detail/CVE-2022-0907
https://www.debian.org/security/2022/dsa-5108
Expand...
https://access.redhat.com/security/cve/CVE-2022-0908
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0908.json
https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85
https://gitlab.com/libtiff/libtiff/-/issues/383
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
https://nvd.nist.gov/vuln/detail/CVE-2022-0908
https://www.debian.org/security/2022/dsa-5108
Expand...
https://access.redhat.com/security/cve/CVE-2022-0909
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0909.json
https://gitlab.com/libtiff/libtiff/-/issues/393
https://gitlab.com/libtiff/libtiff/-/merge_requests/310
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
https://nvd.nist.gov/vuln/detail/CVE-2022-0909
https://www.debian.org/security/2022/dsa-5108
Expand...
https://access.redhat.com/security/cve/CVE-2022-0924
https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-0924.json
https://gitlab.com/libtiff/libtiff/-/issues/278
https://gitlab.com/libtiff/libtiff/-/merge_requests/311
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RNT2GFNRLOMKJ5KXM6JIHKBNBFDVZPD3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQ4E654ZYUUUQNBKYQFXNK2CV3CPWTM2/
https://nvd.nist.gov/vuln/detail/CVE-2022-0924
https://www.debian.org/security/2022/dsa-5108
Expand...
https://access.redhat.com/security/cve/CVE-2022-22844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22844
https://gitlab.com/libtiff/libtiff/-/issues/355
https://gitlab.com/libtiff/libtiff/-/merge_requests/287
https://lists.debian.org/debian-lts-announce/2022/03/msg00001.html
https://nvd.nist.gov/vuln/detail/CVE-2022-22844
https://security.netapp.com/advisory/ntap-20220311-0002/
https://www.debian.org/security/2022/dsa-5108