| Severity | Finding | Category | Resource | Tool |
|---|---|---|---|---|
| critical |
sqlite: Integer Truncation in SQLite
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libsqlite3-0@3.40.1-2 | trivy,trivy,trivy |
| critical |
openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libssl3@3.0.14-1~deb12u2 | trivy,trivy,trivy |
| critical |
openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):openssl@3.0.14-1~deb12u2 | trivy,trivy,trivy |
| critical |
zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):zlib1g@1:1.2.13.dfsg-1 | trivy |
| high |
GnuPG: GnuPG: Information disclosure and potential arbitrary code execution via out-of-bounds write
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):gpgv@2.2.40-1.1 | trivy |
| high |
glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libc-bin@2.36-9+deb12u8 | trivy,trivy |
| high |
glibc: static setuid binary dlopen may incorrectly search LD_LIBRARY_PATH
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libc6@2.36-9+deb12u8 | trivy,trivy |
| high |
expat: parsing large tokens can trigger a denial of service
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libexpat1@2.5.0-1+deb12u1 | trivy,trivy,trivy |
| high |
gnutls: Vulnerability in GnuTLS otherName SAN export
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libgnutls30@3.7.9-2+deb12u3 | trivy,trivy |
| high |
xz: XZ has a heap-use-after-free bug in threaded .xz decoder
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):liblzma5@5.4.1-0.2 | trivy |
| high |
linux-pam: Linux-pam directory Traversal
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libpam-modules@1.5.2-6+deb12u1 | trivy |
| high |
linux-pam: Linux-pam directory Traversal
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libpam-modules-bin@1.5.2-6+deb12u1 | trivy |
| high |
linux-pam: Linux-pam directory Traversal
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libpam-runtime@1.5.2-6+deb12u1 | trivy |
| high |
linux-pam: Linux-pam directory Traversal
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):libpam0g@1.5.2-6+deb12u1 | trivy |
| high |
perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS
|
Container Security | [ECR-IMAGE]:latest (debian 12.7):perl-base@5.36.0-7+deb12u1 | trivy,trivy |
| high |
pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py
|
Application Security | Python:setuptools@57.5.0 | trivy,trivy,trivy |
| high |
wheel: wheel: Privilege Escalation or Arbitrary Code Execution via malicious wheel file unpacking
|
Application Security | Python:wheel@0.44.0 | trivy |
| high |
sqlalchemy-execute-raw-query: Avoiding SQL string concatenation: untrusted input concatenated with raw SQL que
|
Application Security | /target/app.py:8 | semgrep |
| medium |
pull-request-target-code-checkout: This GitHub Actions workflow file uses `pull_request_target` and checks out code
|
CI/CD Pipeline | /target/.github/workflows/pr-check.yml:9 | semgrep |
| info |
Maintain current contact details.
|
AWS Posture | [ARN] | prowler,prowler,prowler,prowler,prowler,prowler,prowler |
| info |
Ensure CloudTrail is enabled in all regions
|
AWS Posture | [ARN] | prowler |
| info |
Check if EC2 Instance Metadata Service Version 2 (IMDSv2) is Enabled and Required.
|
AWS Posture | [ARN] | prowler |
| info |
Ensure no security groups allow ingress from 0.0.0.0/0 or ::/0 to all ports.
|
AWS Posture | [ARN] | prowler,prowler |
| info |
Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached
|
AWS Posture | arn:aws:iam::aws:policy/aws-service-role/AWSOrganizationsServiceTrustPolicy | prowler |
| info |
Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached
|
AWS Posture | arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy | prowler |
| info |
Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached
|
AWS Posture | arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy | prowler,prowler |
| info |
Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached
|
AWS Posture | arn:aws:iam::aws:policy/aws-service-role/APIGatewayServiceRolePolicy | prowler |
| info |
Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached
|
AWS Posture | arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole | prowler |
| info |
Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached
|
AWS Posture | arn:aws:iam::aws:policy/aws-service-role/AWSCloudFrontLogger | prowler |
| info |
Ensure IAM AWS-Managed policies that allow full "*:*" administrative privileges are not attached
|
AWS Posture | arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy | prowler |
| info |
Ensure IAM policies are attached only to groups or roles
|
AWS Posture | [ARN] | prowler,prowler,prowler,prowler |
| info |
Ensure only hardware MFA is enabled for the root account
|
AWS Posture | [ARN] | prowler |
| info |
Ensure unused user console access are disabled
|
AWS Posture | [ARN] | prowler,prowler,prowler,prowler |
| info |
Ensure unused user console access are disabled
|
AWS Posture | [ARN] | prowler,prowler,prowler,prowler |
| info |
Check S3 Bucket Level Public Access Block.
|
AWS Posture | arn:aws:s3:::[BUCKET] | prowler |
| info |
Check S3 Bucket Level Public Access Block.
|
AWS Posture | arn:aws:s3:::[BUCKET] | prowler |
| info |
Check S3 Bucket Level Public Access Block.
|
AWS Posture | arn:aws:s3:::[BUCKET] | prowler |
| info |
Check S3 Bucket Level Public Access Block.
|
AWS Posture | arn:aws:s3:::[BUCKET] | prowler |
| info |
Check S3 Bucket Level Public Access Block.
|
AWS Posture | arn:aws:s3:::[BUCKET] | prowler |
| info |
Check S3 Bucket Level Public Access Block.
|
AWS Posture | arn:aws:s3:::[BUCKET] | prowler |
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.
Vulnerability: CVE-2025-6965 Installed: 3.40.1-2 Fixed in: 3.40.1-2+deb12u2 --- Also detected by trivy --- Vulnerability: CVE-2025-7458 Installed: 3.40.1-2 --- Also detected by trivy --- Vulnerability: CVE-2023-7104 Installed: 3.40.1-2 Fixed in: 3.40.1-2+deb12u1
Upgrade libsqlite3-0 to 3.40.1-2+deb12u2
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Vulnerability: CVE-2025-15467 Installed: 3.0.14-1~deb12u2 Fixed in: 3.0.18-1~deb12u2 --- Also detected by trivy --- Vulnerability: CVE-2025-69419 Installed: 3.0.14-1~deb12u2 Fixed in: 3.0.18-1~deb12u2 --- Also detected by trivy --- Vulnerability: CVE-2025-69421 Installed: 3.0.14-1~deb12u2 Fixed in: 3.0.18-1~deb12u2
Upgrade libssl3 to 3.0.18-1~deb12u2
Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME (Auth)EnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
Vulnerability: CVE-2025-15467 Installed: 3.0.14-1~deb12u2 Fixed in: 3.0.18-1~deb12u2 --- Also detected by trivy --- Vulnerability: CVE-2025-69419 Installed: 3.0.14-1~deb12u2 Fixed in: 3.0.18-1~deb12u2 --- Also detected by trivy --- Vulnerability: CVE-2025-69421 Installed: 3.0.14-1~deb12u2 Fixed in: 3.0.18-1~deb12u2
Upgrade openssl to 3.0.18-1~deb12u2
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Vulnerability: CVE-2023-45853 Installed: 1:1.2.13.dfsg-1
Investigate CVE-2023-45853 for zlib1g
In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)
Vulnerability: CVE-2025-68973 Installed: 2.2.40-1.1 Fixed in: 2.2.40-1.1+deb12u2
Upgrade gpgv to 2.2.40-1.1+deb12u2
Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).
Vulnerability: CVE-2025-4802 Installed: 2.36-9+deb12u8 Fixed in: 2.36-9+deb12u11 --- Also detected by trivy --- Vulnerability: CVE-2026-0861 Installed: 2.36-9+deb12u8
Upgrade libc-bin to 2.36-9+deb12u11
Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).
Vulnerability: CVE-2025-4802 Installed: 2.36-9+deb12u8 Fixed in: 2.36-9+deb12u11 --- Also detected by trivy --- Vulnerability: CVE-2026-0861 Installed: 2.36-9+deb12u8
Upgrade libc6 to 2.36-9+deb12u11
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.
Vulnerability: CVE-2023-52425 Installed: 2.5.0-1+deb12u1 Fixed in: 2.5.0-1+deb12u2 --- Also detected by trivy --- Vulnerability: CVE-2024-8176 Installed: 2.5.0-1+deb12u1 Fixed in: 2.5.0-1+deb12u2 --- Also detected by trivy --- Vulnerability: CVE-2026-25210 Installed: 2.5.0-1+deb12u1
Upgrade libexpat1 to 2.5.0-1+deb12u2
A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.
Vulnerability: CVE-2025-32988 Installed: 3.7.9-2+deb12u3 Fixed in: 3.7.9-2+deb12u5 --- Also detected by trivy --- Vulnerability: CVE-2025-32990 Installed: 3.7.9-2+deb12u3 Fixed in: 3.7.9-2+deb12u5
Upgrade libgnutls30 to 3.7.9-2+deb12u5
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.
Vulnerability: CVE-2025-31115 Installed: 5.4.1-0.2 Fixed in: 5.4.1-1
Upgrade liblzma5 to 5.4.1-1
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Vulnerability: CVE-2025-6020 Installed: 1.5.2-6+deb12u1 Fixed in: 1.5.2-6+deb12u2
Upgrade libpam-modules to 1.5.2-6+deb12u2
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Vulnerability: CVE-2025-6020 Installed: 1.5.2-6+deb12u1 Fixed in: 1.5.2-6+deb12u2
Upgrade libpam-modules-bin to 1.5.2-6+deb12u2
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Vulnerability: CVE-2025-6020 Installed: 1.5.2-6+deb12u1 Fixed in: 1.5.2-6+deb12u2
Upgrade libpam-runtime to 1.5.2-6+deb12u2
A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.
Vulnerability: CVE-2025-6020 Installed: 1.5.2-6+deb12u1 Fixed in: 1.5.2-6+deb12u2
Upgrade libpam0g to 1.5.2-6+deb12u2
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
Vulnerability: CVE-2023-31484 Installed: 5.36.0-7+deb12u1 Fixed in: 5.36.0-7+deb12u3 --- Also detected by trivy --- Vulnerability: CVE-2024-56406 Installed: 5.36.0-7+deb12u1 Fixed in: 5.36.0-7+deb12u2
Upgrade perl-base to 5.36.0-7+deb12u3
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Vulnerability: CVE-2022-40897 Installed: 57.5.0 Fixed in: 65.5.1 --- Also detected by trivy --- Vulnerability: CVE-2024-6345 Installed: 57.5.0 Fixed in: 70.0.0 --- Also detected by trivy --- Vulnerability: CVE-2025-47273 Installed: 57.5.0 Fixed in: 78.1.1
Upgrade setuptools to 65.5.1
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2.
Vulnerability: CVE-2026-24049 Installed: 0.44.0 Fixed in: 0.46.2
Upgrade wheel to 0.46.2
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
Rule: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query File: /target/app.py:8-8 Match: cursor.execute(query)
Address python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query finding