Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

minio-2025.2.7-debian-12-r1_linux_arm64

digestsha256:0c9e9db583f3e966f98962a2a9df0afe2790d969c7bff6c79e252dc5de8f4564
vulnerabilitiescritical: 0 high: 5 medium: 5 low: 21
platformlinux/arm64
size97 MB
packages475
critical: 0 high: 1 medium: 0 low: 0 github.com/golang-jwt/jwt/v5 5.2.1 (golang)

pkg:golang/github.com/golang-jwt/jwt@5.2.1#v5
high 8.7: CVE--2025--30204 Asymmetric Resource Consumption (Amplification)

Affected range
>=5.0.0-rc.1
<5.2.2
Fixed version5.2.2
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score0.055%
EPSS Percentile14th percentile
Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/crypto 0.32.0 (golang)

pkg:golang/golang.org/x/crypto@0.32.0
high : CVE--2025--22869

Affected range<0.35.0
Fixed version0.35.0
EPSS Score0.090%
EPSS Percentile23rd percentile
Description

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

critical: 0 high: 1 medium: 0 low: 0 glibc 2.36-9+deb12u9 (deb)

pkg:deb/debian/glibc@2.36-9%2Bdeb12u9?os_distro=bookworm&os_name=debian&os_version=12
high : CVE--2025--0395

Affected range<2.36-9+deb12u10
Fixed version2.36-9+deb12u10
EPSS Score0.211%
EPSS Percentile41st percentile
Description

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.


critical: 0 high: 1 medium: 0 low: 0 golang.org/x/oauth2 0.24.0 (golang)

pkg:golang/golang.org/x/oauth2@0.24.0
high : CVE--2025--22868

Affected range<0.27.0
Fixed version0.27.0
EPSS Score0.121%
EPSS Percentile28th percentile
Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

critical: 0 high: 1 medium: 0 low: 0 github.com/golang-jwt/jwt/v4 4.5.1 (golang)

pkg:golang/github.com/golang-jwt/jwt@4.5.1#v4
high 8.7: CVE--2025--30204 Asymmetric Resource Consumption (Amplification)

Affected range<4.5.2
Fixed version4.5.2
CVSS Score8.7
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score0.055%
EPSS Percentile14th percentile
Description

Summary

Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods.

As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification)

Details

See parse.ParseUnverified

Impact

Excessive memory allocation

critical: 0 high: 0 medium: 1 low: 2 curl 7.88.1-10+deb12u8 (deb)

pkg:deb/debian/curl@7.88.1-10%2Bdeb12u8?os_distro=bookworm&os_name=debian&os_version=12
medium : CVE--2024--9681

Affected range<7.88.1-10+deb12u9
Fixed version7.88.1-10+deb12u9
EPSS Score0.441%
EPSS Percentile60th percentile
Description

When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host. (The HSTS cache either needs to have been populated manually or there needs to have been previous HTTPS accesses done as the cache needs to have entries for the domains involved to trigger this problem.) When x.example.com responds with Strict-Transport-Security: headers, this bug can make the subdomain's expiry timeout bleed over and get set for the parent domain example.com in curl's HSTS cache. The result of a triggered bug is that HTTP accesses to example.com get converted to HTTPS for a different period of time than what was asked for by the origin server. If example.com for example stops supporting HTTPS at its expiry time, curl might then fail to access http://example.com until the (wrongly set) timeout expires. This bug can also expire the parent's entry earlier, thus making curl inadvertently switch back to insecure HTTP earlier than otherwise intended.


low : CVE--2024--11053

Affected range<7.88.1-10+deb12u10
Fixed version7.88.1-10+deb12u10
EPSS Score0.089%
EPSS Percentile23rd percentile
Description

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.


low : CVE--2025--0167

Affected range<7.88.1-10+deb12u11
Fixed version7.88.1-10+deb12u11
EPSS Score0.046%
EPSS Percentile11th percentile
Description

When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has a default entry that omits both login and password. A rare circumstance.


critical: 0 high: 0 medium: 1 low: 0 minio 2025.2.7-0 (bitnami)

pkg:bitnami/minio@2025.2.7-0
medium : CVE--2025--27414

Affected range
>=2024.6.6
<2025.2.28
Fixed version2025.2.28
EPSS Score0.203%
EPSS Percentile40th percentile
Description

MinIO is a high performance object storage. Starting in version 2024.6.6 and prior to 2025.2.28, a bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the sshPublicKey attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the sshPublicKey attribute. Due to the bug, when the user has no sshPublicKey property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). Three requirements must be met in order to exploit the vulnerability. First, the MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Second, the attacker must have knowledge of an LDAP username that does not have the sshPublicKey property set. Third, such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups).

critical: 0 high: 0 medium: 1 low: 0 github.com/go-jose/go-jose/v4 4.0.4 (golang)

pkg:golang/github.com/go-jose/go-jose@4.0.4#v4
medium 6.9: CVE--2025--27144 Uncontrolled Resource Consumption

Affected range<4.0.5
Fixed version4.0.5
CVSS Score6.9
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
EPSS Score0.026%
EPSS Percentile4th percentile
Description

Impact

When parsing compact JWS or JWE input, go-jose could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of '.' characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service.

Patches

Version 4.0.5 fixes this issue

Workarounds

Applications could pre-validate payloads passed to go-jose do not contain an excessive number of '.' characters.

References

This is the same sort of issue as in the golang.org/x/oauth2/jws package as CVE-2025-22868 and Go issue https://go.dev/issue/71490.

critical: 0 high: 0 medium: 1 low: 0 gnutls28 3.7.9-2+deb12u3 (deb)

pkg:deb/debian/gnutls28@3.7.9-2%2Bdeb12u3?os_distro=bookworm&os_name=debian&os_version=12
medium : CVE--2024--12243

Affected range<3.7.9-2+deb12u4
Fixed version3.7.9-2+deb12u4
EPSS Score0.158%
EPSS Percentile33rd percentile
Description

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.


[experimental] - gnutls28 3.8.9-1

critical: 0 high: 0 medium: 1 low: 0 golang.org/x/net 0.34.0 (golang)

pkg:golang/golang.org/x/net@0.34.0
medium 4.4: CVE--2025--22870 Misinterpretation of Input

Affected range<0.36.0
Fixed version0.36.0
CVSS Score4.4
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
EPSS Score0.018%
EPSS Percentile3rd percentile
Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

critical: 0 high: 0 medium: 0 low: 4 openldap 2.5.13+dfsg-5 (deb)

pkg:deb/debian/openldap@2.5.13%2Bdfsg-5?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2020--15719

Affected range>=2.5.13+dfsg-5
Fixed versionNot Fixed
EPSS Score0.414%
EPSS Percentile59th percentile
Description

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.


low : CVE--2017--17740

Affected range>=2.5.13+dfsg-5
Fixed versionNot Fixed
EPSS Score5.765%
EPSS Percentile90th percentile
Description

contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation.


low : CVE--2017--14159

Affected range>=2.5.13+dfsg-5
Fixed versionNot Fixed
EPSS Score0.084%
EPSS Percentile22nd percentile
Description

slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript.


low : CVE--2015--3276

Affected range>=2.5.13+dfsg-5
Fixed versionNot Fixed
EPSS Score1.592%
EPSS Percentile80th percentile
Description

The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors.


  • openldap (unimportant) Debian builds with GNUTLS, not NSS
critical: 0 high: 0 medium: 0 low: 3 krb5 1.20.1-2+deb12u2 (deb)

pkg:deb/debian/krb5@1.20.1-2%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2024--26461

Affected range>=1.20.1-2+deb12u2
Fixed versionNot Fixed
EPSS Score0.182%
EPSS Percentile37th percentile
Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.


low : CVE--2024--26458

Affected range>=1.20.1-2+deb12u2
Fixed versionNot Fixed
EPSS Score0.060%
EPSS Percentile16th percentile
Description

low : CVE--2018--5709

Affected range>=1.20.1-2+deb12u2
Fixed versionNot Fixed
EPSS Score0.865%
EPSS Percentile73rd percentile
Description

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.


critical: 0 high: 0 medium: 0 low: 2 perl 5.36.0-7+deb12u1 (deb)

pkg:deb/debian/perl@5.36.0-7%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2023--31486

Affected range>=5.36.0-7+deb12u1
Fixed versionNot Fixed
EPSS Score3.866%
EPSS Percentile87th percentile
Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.


low : CVE--2011--4116

Affected range>=5.36.0-7+deb12u1
Fixed versionNot Fixed
EPSS Score0.815%
EPSS Percentile72nd percentile
Description
critical: 0 high: 0 medium: 0 low: 2 gcc-12 12.2.0-14 (deb)

pkg:deb/debian/gcc-12@12.2.0-14?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2023--4039

Affected range>=12.2.0-14
Fixed versionNot Fixed
EPSS Score0.206%
EPSS Percentile40th percentile
Description

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.


low : CVE--2022--27943

Affected range>=12.2.0-14
Fixed versionNot Fixed
EPSS Score0.038%
EPSS Percentile8th percentile
Description

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.


critical: 0 high: 0 medium: 0 low: 1 apt 2.6.1 (deb)

pkg:deb/debian/apt@2.6.1?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2011--3374

Affected range>=2.6.1
Fixed versionNot Fixed
EPSS Score1.082%
EPSS Percentile76th percentile
Description

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.


critical: 0 high: 0 medium: 0 low: 1 gnupg2 2.2.40-1.1 (deb)

pkg:deb/debian/gnupg2@2.2.40-1.1?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2022--3219

Affected range>=2.2.40-1.1
Fixed versionNot Fixed
EPSS Score0.012%
EPSS Percentile1st percentile
Description

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.


critical: 0 high: 0 medium: 0 low: 1 openssl 3.0.15-1~deb12u1 (deb)

pkg:deb/debian/openssl@3.0.15-1~deb12u1?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2010--0928

Affected range>=3.0.11-1~deb12u2
Fixed versionNot Fixed
EPSS Score0.094%
EPSS Percentile24th percentile
Description

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."


http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf https://github.com/openssl/openssl/discussions/24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html

critical: 0 high: 0 medium: 0 low: 1 libgcrypt20 1.10.1-3 (deb)

pkg:deb/debian/libgcrypt20@1.10.1-3?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2018--6829

Affected range>=1.10.1-3
Fixed versionNot Fixed
EPSS Score0.841%
EPSS Percentile73rd percentile
Description

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.


critical: 0 high: 0 medium: 0 low: 1 tar 1.34+dfsg-1.2+deb12u1 (deb)

pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2005--2541

Affected range>=1.34+dfsg-1.2+deb12u1
Fixed versionNot Fixed
EPSS Score2.537%
EPSS Percentile84th percentile
Description

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.


This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag

critical: 0 high: 0 medium: 0 low: 1 shadow 1:4.13+dfsg1-1 (deb)

pkg:deb/debian/shadow@1%3A4.13%2Bdfsg1-1?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2007--5686

Affected range>=1:4.13+dfsg1-1
Fixed versionNot Fixed
EPSS Score0.241%
EPSS Percentile44th percentile
Description

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.


  • shadow (unimportant) See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so unknown usernames are not recorded on login failures
critical: 0 high: 0 medium: 0 low: 1 util-linux 2.38.1-5+deb12u3 (deb)

pkg:deb/debian/util-linux@2.38.1-5%2Bdeb12u3?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2022--0563

Affected range>=2.38.1-5+deb12u3
Fixed versionNot Fixed
EPSS Score0.022%
EPSS Percentile3rd percentile
Description

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.


critical: 0 high: 0 medium: 0 low: 1 coreutils 9.1-1 (deb)

pkg:deb/debian/coreutils@9.1-1?os_distro=bookworm&os_name=debian&os_version=12
low : CVE--2017--18018

Affected range>=9.1-1
Fixed versionNot Fixed
EPSS Score0.045%
EPSS Percentile11th percentile
Description

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.