Created
January 30, 2026 09:53
-
-
Save amouat/bd299b4210dd2893741ac67e1eac3a38 to your computer and use it in GitHub Desktop.
VEX document for dhi.io/golang:1.23. Retrieved with `docker scout vex get registry://dhi.io/golang:1.23@sha256:31398e476325627a94bf3c45dd5134f2d891b1456b36bf77b69179a0a0c7c04c --output golang-vex.json`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "@context": "https://openvex.dev/ns/v0.2.0", | |
| "@id": "https://scout.docker.com/public/vex-2dbb10b9033b03376bf51603d76371006be87fbbaf30c8be721aa2c778e36dff", | |
| "author": "Docker Hardened Images \u003cdhi@docker.com\u003e", | |
| "role": "Document Creator", | |
| "version": 1, | |
| "tooling": "Docker Scout", | |
| "statements": [ | |
| { | |
| "@id": "88bffcd1-7214-4ab5-829b-79e5fd46b1d1", | |
| "vulnerability": { | |
| "name": "CVE-2005-2541" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/tar" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/tar" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This is intended behaviour, after all tar is an archiving tool and you need to give -p as a command line flag", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:37:02Z" | |
| }, | |
| { | |
| "@id": "fce22c3d-a935-45bb-8bda-04bdaa5fa0f7", | |
| "vulnerability": { | |
| "name": "CVE-2010-0928" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/openssl@3.0.17-1~deb12u2?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl@3.0.17-1~deb12u2?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libssl3" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libssl3" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Fault injection based attacks are not within OpenSSLs threat model according to the security policy and this CVE is not treated as security bug by upstream: https://www.openssl.org/policies/general/security-policy.html", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:36:25Z" | |
| }, | |
| { | |
| "@id": "bcfc62d9-f5ea-416e-bf1b-54b9f34c3aad", | |
| "vulnerability": { | |
| "name": "CVE-2010-4756" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Standard POSIX behavior in glibc. Applications using glob need to impose limits themselves. Requires authenticated access and is considered unimportant by Debian.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:15Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2016-2781", | |
| "vulnerability": { | |
| "name": "CVE-2016-2781" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2016-2781", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:46:31Z" | |
| }, | |
| { | |
| "@id": "36146254-dfa4-43cc-8024-b27bd7646b8b", | |
| "vulnerability": { | |
| "name": "CVE-2016-2781" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE requires chroot with --userspec option, which is rarely used in container environments. The vulnerable code path cannot be reached in typical container usage patterns.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-27T16:09:50Z" | |
| }, | |
| { | |
| "@id": "01d51ca9-3558-492b-9738-38987e7941f6", | |
| "vulnerability": { | |
| "name": "CVE-2016-2781" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE requires chroot with --userspec option, which is rarely used in container environments. The vulnerable code path cannot be reached in typical container usage patterns.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-27T16:10:16Z" | |
| }, | |
| { | |
| "@id": "6f1bfb73-2c41-423a-81d6-67c401b7a1fb", | |
| "vulnerability": { | |
| "name": "CVE-2017-18018" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE is not treated as security issue by upstream and reflects intended behavior of the chown program.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:27:44Z" | |
| }, | |
| { | |
| "@id": "84055870-5e7f-49e1-9c4e-7ee89500a35c", | |
| "vulnerability": { | |
| "name": "CVE-2018-20796" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Not treated as vulnerability by upstream glibc. Listed under glibc Security Exceptions.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:16Z" | |
| }, | |
| { | |
| "@id": "6e4c9d0e-07a7-4977-a116-f931a1127c04", | |
| "vulnerability": { | |
| "name": "CVE-2019-1010022" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Classified as non-security bug by upstream. Stack guard protection bypass is considered unimportant.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:18Z" | |
| }, | |
| { | |
| "@id": "e10e6784-64a0-4203-ba88-3db6603873f9", | |
| "vulnerability": { | |
| "name": "CVE-2019-1010023" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Requires user to explicitly run ldd on malicious ELF files. Classified as non-security bug by upstream.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:19Z" | |
| }, | |
| { | |
| "@id": "8f76fd2d-7c0b-47e9-b59b-a6b9b0b1b184", | |
| "vulnerability": { | |
| "name": "CVE-2019-1010024" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "ASLR bypass using thread stack and heap cache. Not treated as security bug by upstream.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:21Z" | |
| }, | |
| { | |
| "@id": "2a64490a-d9f6-4f42-926a-044e6b5ea9b2", | |
| "vulnerability": { | |
| "name": "CVE-2019-1010025" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "ASLR bypass for pthread_created thread heap addresses. Vendor states ASLR bypass itself is not a vulnerability.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:22Z" | |
| }, | |
| { | |
| "@id": "338fd8ef-9565-4616-8bfd-d3b184e68ef3", | |
| "vulnerability": { | |
| "name": "CVE-2019-9192" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Uncontrolled recursion in regex processing. Maintainer disputes this as a vulnerability as it only occurs with crafted patterns.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:25Z" | |
| }, | |
| { | |
| "@id": "be80d6b1-ac48-4a80-b3c3-1bc69996398f", | |
| "vulnerability": { | |
| "name": "CVE-2022-27943" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/gcc-12@12.2.0-14%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/gcc-12@12.2.0-14%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/gcc-12-base" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libgcc-s1" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/gcc-12" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/gcc-12-base" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libgcc-s1" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/gcc-12" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE affects the RUST demangler, which is not in this context. Additionally the issue has negligible security impact.", | |
| "justification": "vulnerable_code_not_in_execute_path", | |
| "timestamp": "2025-08-05T20:34:55Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2023-45853", | |
| "vulnerability": { | |
| "name": "CVE-2023-45853" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/zlib@1%3A1.2.13.dfsg-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/zlib@1%3A1.2.13.dfsg-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/zlib1g" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/zlib" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/zlib1g" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/zlib" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2023-45853", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:48:03Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2023-45918", | |
| "vulnerability": { | |
| "name": "CVE-2023-45918" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/ncurses@6.4-4?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses@6.4-4?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2023-45918", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-03-12T14:55:43Z" | |
| }, | |
| { | |
| "@id": "5276139e-2d86-4e65-915f-150658829cb1", | |
| "vulnerability": { | |
| "name": "CVE-2023-45927" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/slang2@2.3.3-3?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2@2.3.3-3?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libslang2" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libslang2" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "The upstream package maintainers have confirmed that this is not a vulnerability but rather an unimporant bug with negligible security impact.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:36:50Z" | |
| }, | |
| { | |
| "@id": "b3e9f92e-e974-48cf-abaa-64a62656d39a", | |
| "vulnerability": { | |
| "name": "CVE-2023-45929" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/slang2@2.3.3-3?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2@2.3.3-3?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libslang2" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libslang2" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/slang2" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "The upstream package maintainers have confirmed that this is not a vulnerability but rather an unimporant bug with negligible security impact.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:36:48Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2023-50495", | |
| "vulnerability": { | |
| "name": "CVE-2023-50495" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/ncurses@6.4-4?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses@6.4-4?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2023-50495", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:48:08Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2025-15281", | |
| "vulnerability": { | |
| "name": "CVE-2025-15281" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2025-15281", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-29T17:10:11Z" | |
| }, | |
| { | |
| "@id": "701b6f97-40e8-4650-ad9a-d93a17e9b387", | |
| "vulnerability": { | |
| "name": "CVE-2025-27587" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/openssl@3.0.17-1~deb12u2?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl@3.0.17-1~deb12u2?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libssl3" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libssl3" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/openssl" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE is only affecting installation on PowerPC architecture and even then is this CVE disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:36:27Z" | |
| }, | |
| { | |
| "@id": "7f2b54b6-4614-4a3e-a70e-9ef4cec4fa8f", | |
| "vulnerability": { | |
| "name": "CVE-2025-45582" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/tar@1.34%2Bdfsg-1.2%2Bdeb12u1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/tar" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/tar" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Disputed by upstream as it is documented behaviour; see https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:37:04Z" | |
| }, | |
| { | |
| "@id": "b12e79fa-b869-4407-8f0d-84d444c26943", | |
| "vulnerability": { | |
| "name": "CVE-2025-4802" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "The only viable vector for exploitation of this bug is local, if a static setuid program exists, and that program calls dlopen, then it may search LD_LIBRARY_PATH to locate the SONAME to load. No such program is present in the container image .", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:35:26Z" | |
| }, | |
| { | |
| "@id": "9f601e56-75cb-4b0e-8637-63cfd0e81610", | |
| "vulnerability": { | |
| "name": "CVE-2025-5278" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils@9.1-1?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/coreutils" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "This CVE is not treated as security issue by upstream; just a crash in a CLI tool.", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2025-08-05T20:27:59Z" | |
| }, | |
| { | |
| "@id": "b8f5f402-2d39-4e01-b7f7-31f19a85b2ee", | |
| "vulnerability": { | |
| "name": "CVE-2025-6141" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/ncurses@6.4-4?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses@6.4-4?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "under_investigation", | |
| "impact_statement": "Waiting for upstream fix release", | |
| "timestamp": "2025-08-05T20:36:14Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2025-6141", | |
| "vulnerability": { | |
| "name": "CVE-2025-6141" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/ncurses@6.4-4?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses@6.4-4?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libtinfo6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/ncurses" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2025-6141", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:50:12Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2025-6297", | |
| "vulnerability": { | |
| "name": "CVE-2025-6297" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/dpkg@1.21.22?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/dpkg@1.21.22?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/dpkg" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/dpkg" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2025-6297", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-21T21:50:13Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2026-0861", | |
| "vulnerability": { | |
| "name": "CVE-2026-0861" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2026-0861", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-29T17:10:12Z" | |
| }, | |
| { | |
| "@id": "debian-nodsa-CVE-2026-0915", | |
| "vulnerability": { | |
| "name": "CVE-2026-0915" | |
| }, | |
| "products": [ | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc@2.36-9%2Bdeb12u10?os_name=debian\u0026os_version=12" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| }, | |
| { | |
| "@id": "dhi.io/golang:1.23", | |
| "subcomponents": [ | |
| { | |
| "@id": "pkg:deb/debian/libc6" | |
| }, | |
| { | |
| "@id": "pkg:deb/debian/glibc" | |
| } | |
| ] | |
| } | |
| ], | |
| "status": "not_affected", | |
| "status_notes": "Marked no-dsa by Debian Security Team; see https://security-tracker.debian.org/tracker/CVE-2026-0915", | |
| "justification": "vulnerable_code_cannot_be_controlled_by_adversary", | |
| "timestamp": "2026-01-29T17:10:12Z" | |
| } | |
| ], | |
| "timestamp": "2025-03-12T14:55:43Z", | |
| "last_updated": "2026-01-29T17:10:12Z" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment