GHSA-qf87-q4gg-cg43 – bottlerocket/update-operator

Package

Manager: cargo
Name: bottlerocket/update-operator
Vulnerable Version: >=0 <1.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

bottlerocket dependency openssl is vulnerable to dereferenced null pointers A null pointer in OpenSSL can be dereferenced when signatures are being verified in malformed PKCS7 data. Agents or clients compiled with OpenSSL may experience unexpected crashes. OpenSSL has been removed in bottlerocket/update-operator version 1.1.0 in favor of Rust-based TLS using rustls.

Metadata

Created: 2023-02-09T19:33:13Z
Modified: 2023-02-09T19:33:13Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F163
Auto approve: 1