AWS ECR Image Scan Findings Report - comet-ml/backend-optimizer¶
Report Date and Time: 2024-12-12 15:57:29
Repository Name: comet-ml/backend-optimizer
Image Tag/Version: 2.1.4
Image Digest: sha256:c842b62c95c5f6f6f1a36f84c459a2d17ca9a4a22ee20ba52c63c77240f70f19
Scan Status: ACTIVE
CVE-2024-6232 - python3-libs, python3¶
Severity: HIGH
Status: ACTIVE
Description: There is a MEDIUM severity vulnerability affecting CPython.
Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
First Observed At: 2024-12-12T05:44:04.998000+00:00
Last Observed At: 2024-12-12T05:44:04.998000+00:00
Vulnerable Packages¶
python3-libs Version: 3.9.16
python3 Version: 3.9.16
AWS ECR Image Scan Findings Report - comet-ml/backend-react¶
Report Date and Time: 2024-12-12 15:57:31
Repository Name: comet-ml/backend-react
Image Tag/Version: 3.48.243
Image Digest: sha256:4c42f870589d45a2b09b928f5474e8212064001a8b813126d383c6c100aa6f1d
Scan Status: ACTIVE
CVE-2024-47535 - io.netty:netty-common¶
Severity: UNTRIAGED
Status: ACTIVE
Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Score: 0.0
First Observed At: 2024-12-11T19:23:04.167000+00:00
Last Observed At: 2024-12-11T19:23:04.167000+00:00
Vulnerable Packages¶
- io.netty:netty-common Version: 4.1.101.Final
CVE-2024-29025 - io.netty:netty-codec-http¶
Severity: UNTRIAGED
Status: ACTIVE
Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.
Score: 0.0
First Observed At: 2024-12-11T19:23:04.167000+00:00
Last Observed At: 2024-12-11T19:23:04.167000+00:00
Vulnerable Packages¶
- io.netty:netty-codec-http Version: 4.1.100.Final
CVE-2024-9823 - org.eclipse.jetty:jetty-servlets¶
Severity: UNTRIAGED
Status: ACTIVE
Description: There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Score: 0.0
First Observed At: 2024-12-11T19:23:04.167000+00:00
Last Observed At: 2024-12-11T19:23:04.167000+00:00
Vulnerable Packages¶
- org.eclipse.jetty:jetty-servlets Version: 9.4.53.v20231009
AWS ECR Image Scan Findings Report - comet-ml/backend-postprocess¶
Report Date and Time: 2024-12-12 15:57:29
Repository Name: comet-ml/backend-postprocess
Image Tag/Version: 3.48.243
Image Digest: sha256:e87161b4b0d41f1a3b981b6333c5236d71521689abdd86ee697041af08142ee0
Scan Status: ACTIVE
CVE-2024-7254 - com.google.protobuf:protobuf-java¶
Severity: UNTRIAGED
Status: ACTIVE
Description: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Score: 0.0
First Observed At: 2024-12-11T19:22:42.830000+00:00
Last Observed At: 2024-12-11T19:22:42.830000+00:00
Vulnerable Packages¶
- com.google.protobuf:protobuf-java Version: 3.21.9
CVE-2024-9823 - org.eclipse.jetty:jetty-servlets¶
Severity: UNTRIAGED
Status: ACTIVE
Description: There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Score: 0.0
First Observed At: 2024-12-11T19:22:42.830000+00:00
Last Observed At: 2024-12-11T19:22:42.830000+00:00
Vulnerable Packages¶
- org.eclipse.jetty:jetty-servlets Version: 9.4.53.v20231009
CVE-2024-47535 - io.netty:netty-common¶
Severity: UNTRIAGED
Status: ACTIVE
Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Score: 0.0
First Observed At: 2024-12-11T19:22:42.830000+00:00
Last Observed At: 2024-12-11T19:22:42.830000+00:00
Vulnerable Packages¶
- io.netty:netty-common Version: 4.1.111.Final
AWS ECR Image Scan Findings Report - comet-ml/frontend-nginx¶
Report Date and Time: 2024-12-12 15:57:30
Repository Name: comet-ml/frontend-nginx
Image Tag/Version: 5.90.12
Image Digest: sha256:0ac2ddc54fdce8257bf119dc73e48cf0de5754864dfa8075a77bd24e53567983
Scan Status: ACTIVE
No findings.
AWS ECR Image Scan Findings Report - comet-ml/backend-python¶
Report Date and Time: 2024-12-12 15:57:29
Repository Name: comet-ml/backend-python
Image Tag/Version: 3.48.243
Image Digest: sha256:10ef9d7409ded5956453db8080f88acb3c8dce603b46a993aa2aa624762b515f
Scan Status: ACTIVE
CVE-2024-7254 - com.google.protobuf:protobuf-java¶
Severity: UNTRIAGED
Status: ACTIVE
Description: Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Score: 0.0
First Observed At: 2024-12-11T19:22:51.185000+00:00
Last Observed At: 2024-12-11T19:22:51.185000+00:00
Vulnerable Packages¶
- com.google.protobuf:protobuf-java Version: 3.21.9
CVE-2024-47535 - io.netty:netty-common¶
Severity: UNTRIAGED
Status: ACTIVE
Description: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.
Score: 0.0
First Observed At: 2024-12-11T19:22:51.185000+00:00
Last Observed At: 2024-12-11T19:22:51.185000+00:00
Vulnerable Packages¶
- io.netty:netty-common Version: 4.1.101.Final
CVE-2024-9823 - org.eclipse.jetty:jetty-servlets¶
Severity: UNTRIAGED
Status: ACTIVE
Description: There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Score: 0.0
First Observed At: 2024-12-11T19:22:51.185000+00:00
Last Observed At: 2024-12-11T19:22:51.185000+00:00
Vulnerable Packages¶
- org.eclipse.jetty:jetty-servlets Version: 9.4.53.v20231009