TrueChartsClone/charts/stable/overseerr/security.md

32 KiB
Raw Blame History

hide
toc

Security Overview

Helm-Chart

Scan Results

Chart Object: overseerr/templates/common.yaml

Type Misconfiguration ID Check Severity Explaination Links
Kubernetes Security Check KSV001 Process can elevate its own privileges MEDIUM
Expand... A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.


Container 'autopermissions' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.allowPrivilegeEscalation' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv001
Kubernetes Security Check KSV003 Default capabilities not dropped LOW
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'RELEASE-NAME-overseerr' of Deployment 'RELEASE-NAME-overseerr' should add 'ALL' to 'securityContext.capabilities.drop'
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
Kubernetes Security Check KSV003 Default capabilities not dropped LOW
Expand... The container should drop all default capabilities and add only those that are needed for its execution.


Container 'autopermissions' of Deployment 'RELEASE-NAME-overseerr' should add 'ALL' to 'securityContext.capabilities.drop'
Expand...https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003
Kubernetes Security Check KSV012 Runs as root user MEDIUM
Expand... 'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.runAsNonRoot' to true
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012
Kubernetes Security Check KSV014 Root file system is not read-only LOW
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'RELEASE-NAME-overseerr' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.readOnlyRootFilesystem' to true
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
Kubernetes Security Check KSV014 Root file system is not read-only LOW
Expand... An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.


Container 'autopermissions' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.readOnlyRootFilesystem' to true
Expand...https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014
Kubernetes Security Check KSV017 Privileged container HIGH
Expand... Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges.


Container 'autopermissions' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.privileged' to false
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline
https://avd.aquasec.com/appshield/ksv017
Kubernetes Security Check KSV020 Runs with low user ID MEDIUM
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'RELEASE-NAME-overseerr' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
Kubernetes Security Check KSV020 Runs with low user ID MEDIUM
Expand... Force the container to run with user ID > 10000 to avoid conflicts with the hosts user table.


Container 'autopermissions' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.runAsUser' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020
Kubernetes Security Check KSV021 Runs with low group ID MEDIUM
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'RELEASE-NAME-overseerr' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
Kubernetes Security Check KSV021 Runs with low group ID MEDIUM
Expand... Force the container to run with group ID > 10000 to avoid conflicts with the hosts user table.


Container 'autopermissions' of Deployment 'RELEASE-NAME-overseerr' should set 'securityContext.runAsGroup' > 10000
Expand...https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021
Kubernetes Security Check KSV029 A root primary or supplementary GID set LOW
Expand... Containers should be forbidden from running with a root primary or supplementary GID.


Deployment 'RELEASE-NAME-overseerr' should set 'spec.securityContext.runAsGroup', 'spec.securityContext.supplementalGroups[*]' and 'spec.securityContext.fsGroup' to integer greater than 0
Expand...https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv029

Containers

Detected Containers
      tccr.io/truecharts/alpine:v3.15.2@sha256:29ed3480a0ee43f7af681fed5d4fc215516abf1c41eade6938b26d8c9c2c7583
      tccr.io/truecharts/overseerr:v1.29.1@sha256:8b2e31f80dcdaed42ef89be859068a741379b25cf9f02ae9ba9cc26ceea16d30
Scan Results

Container: tccr.io/truecharts/alpine:v3.15.2@sha256:29ed3480a0ee43f7af681fed5d4fc215516abf1c41eade6938b26d8c9c2c7583 (alpine 3.15.2)

alpine

Package Vulnerability Severity Installed Version Fixed Version Links
busybox CVE-2022-28391 CRITICAL 1.34.1-r4 1.34.1-r5
Expand...https://access.redhat.com/security/cve/CVE-2022-28391
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28391
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
curl CVE-2022-22576 MEDIUM 7.80.0-r0 7.80.0-r1
Expand...https://access.redhat.com/security/cve/CVE-2022-22576
https://curl.se/docs/CVE-2022-22576.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576
https://hackerone.com/reports/1526328
https://ubuntu.com/security/notices/USN-5397-1
curl CVE-2022-27774 MEDIUM 7.80.0-r0 7.80.0-r1
Expand...https://access.redhat.com/security/cve/CVE-2022-27774
https://curl.se/docs/CVE-2022-27774.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
https://hackerone.com/reports/1543773
https://ubuntu.com/security/notices/USN-5397-1
curl CVE-2022-27776 MEDIUM 7.80.0-r0 7.80.0-r1
Expand...https://access.redhat.com/security/cve/CVE-2022-27776
https://curl.se/docs/CVE-2022-27776.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
https://hackerone.com/reports/1547048
https://ubuntu.com/security/notices/USN-5397-1
curl CVE-2022-27775 LOW 7.80.0-r0 7.80.0-r1
Expand...https://access.redhat.com/security/cve/CVE-2022-27775
https://curl.se/docs/CVE-2022-27775.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775
https://hackerone.com/reports/1546268
https://ubuntu.com/security/notices/USN-5397-1
libcurl CVE-2022-22576 MEDIUM 7.80.0-r0 7.80.0-r1
Expand...https://access.redhat.com/security/cve/CVE-2022-22576
https://curl.se/docs/CVE-2022-22576.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22576
https://hackerone.com/reports/1526328
https://ubuntu.com/security/notices/USN-5397-1
libcurl CVE-2022-27774 MEDIUM 7.80.0-r0 7.80.0-r1
Expand...https://access.redhat.com/security/cve/CVE-2022-27774
https://curl.se/docs/CVE-2022-27774.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27774
https://hackerone.com/reports/1543773
https://ubuntu.com/security/notices/USN-5397-1
libcurl CVE-2022-27776 MEDIUM 7.80.0-r0 7.80.0-r1
Expand...https://access.redhat.com/security/cve/CVE-2022-27776
https://curl.se/docs/CVE-2022-27776.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27776
https://hackerone.com/reports/1547048
https://ubuntu.com/security/notices/USN-5397-1
libcurl CVE-2022-27775 LOW 7.80.0-r0 7.80.0-r1
Expand...https://access.redhat.com/security/cve/CVE-2022-27775
https://curl.se/docs/CVE-2022-27775.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27775
https://hackerone.com/reports/1546268
https://ubuntu.com/security/notices/USN-5397-1
ssl_client CVE-2022-28391 CRITICAL 1.34.1-r4 1.34.1-r5
Expand...https://access.redhat.com/security/cve/CVE-2022-28391
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28391
https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch
https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch
https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661
https://nvd.nist.gov/vuln/detail/CVE-2022-28391
zlib CVE-2018-25032 HIGH 1.2.11-r3 1.2.12-r0
Expand...http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/38
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://access.redhat.com/security/cve/CVE-2018-25032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
https://errata.almalinux.org/8/ALSA-2022-2201.html
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ
https://linux.oracle.com/cve/CVE-2018-25032.html
https://linux.oracle.com/errata/ELSA-2022-2213.html
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://security.netapp.com/advisory/ntap-20220526-0009/
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
https://ubuntu.com/security/notices/USN-5355-1
https://ubuntu.com/security/notices/USN-5355-2
https://ubuntu.com/security/notices/USN-5359-1
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3

Container: tccr.io/truecharts/overseerr:v1.29.1@sha256:8b2e31f80dcdaed42ef89be859068a741379b25cf9f02ae9ba9cc26ceea16d30 (alpine 3.15.4)

alpine

No Vulnerabilities found

node-pkg

Package Vulnerability Severity Installed Version Fixed Version Links
ansi-regex CVE-2021-3807 HIGH 3.0.0 3.0.1, 4.1.1, 5.0.1, 6.0.1
Expand...https://access.redhat.com/security/cve/CVE-2021-3807
https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
https://github.com/advisories/GHSA-93q8-gq69-wqmw
https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311
https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774
https://github.com/chalk/ansi-regex/releases/tag/v6.0.1
https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
https://linux.oracle.com/cve/CVE-2021-3807.html
https://linux.oracle.com/errata/ELSA-2022-0350.html
https://nvd.nist.gov/vuln/detail/CVE-2021-3807
https://www.oracle.com/security-alerts/cpuapr2022.html
ansi-regex CVE-2021-3807 HIGH 5.0.0 3.0.1, 4.1.1, 5.0.1, 6.0.1
Expand...https://access.redhat.com/security/cve/CVE-2021-3807
https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
https://github.com/advisories/GHSA-93q8-gq69-wqmw
https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311
https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774
https://github.com/chalk/ansi-regex/releases/tag/v6.0.1
https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
https://linux.oracle.com/cve/CVE-2021-3807.html
https://linux.oracle.com/errata/ELSA-2022-0350.html
https://nvd.nist.gov/vuln/detail/CVE-2021-3807
https://www.oracle.com/security-alerts/cpuapr2022.html
dicer CVE-2022-24434 HIGH 0.2.5
Expand...https://github.com/advisories/GHSA-wm7h-9275-46v2
https://github.com/mscdex/busboy/issues/250
https://github.com/mscdex/dicer/pull/22
https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac
https://nvd.nist.gov/vuln/detail/CVE-2022-24434
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865
https://snyk.io/vuln/SNYK-JS-DICER-2311764
minimist CVE-2021-44906 CRITICAL 1.2.5 1.2.6
Expand...https://access.redhat.com/security/cve/CVE-2021-44906
https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip
https://github.com/advisories/GHSA-xvch-5gv4-984h
https://github.com/substack/minimist/blob/master/index.js#L69
https://github.com/substack/minimist/issues/164
https://nvd.nist.gov/vuln/detail/CVE-2021-44906
https://security.snyk.io/vuln/SNYK-JS-MINIMIST-559764
https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068
moment CVE-2022-24785 HIGH 2.29.1 2.29.2
Expand...https://access.redhat.com/security/cve/CVE-2022-24785
https://github.com/advisories/GHSA-8hfj-j24r-96c4
https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5
https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
https://nvd.nist.gov/vuln/detail/CVE-2022-24785
https://security.netapp.com/advisory/ntap-20220513-0006/
https://www.tenable.com/security/tns-2022-09
npm CVE-2022-29244 MEDIUM 8.5.0 8.11.0
Expand...https://github.com/advisories/GHSA-hj9c-8jmm-8c52
https://github.com/nodejs/node/releases/tag/v16.15.1
https://github.com/nodejs/node/releases/tag/v17.9.1
https://github.com/nodejs/node/releases/tag/v18.3.0
https://github.com/npm/cli/releases/tag/v8.11.0
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish
https://github.com/npm/npm-packlist
sqlite3 CVE-2022-21227 HIGH 5.0.2 5.0.3
Expand...https://access.redhat.com/security/cve/CVE-2022-21227
https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a
https://github.com/TryGhost/node-sqlite3/issues/1440
https://github.com/TryGhost/node-sqlite3/issues/1449
https://github.com/TryGhost/node-sqlite3/security/advisories/GHSA-9qrh-qjmc-5w2p
https://github.com/advisories/GHSA-9qrh-qjmc-5w2p
https://nvd.nist.gov/vuln/detail/CVE-2022-21227
https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805470
https://snyk.io/vuln/SNYK-JS-SQLITE3-2388645