almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 09:52:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
dangerzone/.grype.yaml
Alex Pyrgiotis add95a0d53
Ignore CVE-2024-5535 from our security scans 
We believe that Dangerzone is not affected by CVE-2024-5535 for the
following reasons:

1. This CVE affects applications that make network calls. The Dangerzone
    container does not perform any such calls, and has no access to the
    internet.
2. The OpenSSL devs have marked this issue as low severity.
2024-07-05 17:20:03 +03:00

45 lines
2 KiB
YAML
Raw Blame History

# This configuration file will be used to track CVEs that we can ignore for the
# latest release of Dangerzone, and offer our analysis.
ignore:
# CVE-2023-7104
# =============
#
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-7104
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# 1. This CVE affects malicious/corrupted SQLite DBs.
# 2. Databases can be loaded either via LibreOffice Calc or Base. Files for
# the latter are not a valid input to Dangerzone.
# 3. Based on the LibreOffice Calc guide [1], users can only refer to
# external databases, not embed them in a spreadsheet.
# 4. The actual CVSS score for this vulnerability is High, according to
# NIST, not Critical.
#
# [1]: From https://wiki.documentfoundation.org/images/f/f4/CG75-CalcGuide.pdf:
#
# > The possible data sources for the pivot table are a Calc spreadsheet
# > or an external data source that is registered in LibreOffice. [...]
# > A registered data source is a connection to data held in a database
# > outside of LibreOffice.
- vulnerability: CVE-2023-7104
# CVE-2024-5535
# =============
#
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-5535
# Verdict: Dangerzone is not affected. The rationale is the following:
#
# 1. This CVE affects applications that make network calls. The Dangerzone
# container does not perform any such calls, and has no access to the
# internet.
# 2. The OpenSSL devs have marked this issue as low severity [1].
#
# [1]: From https://www.openssl.org/news/secadv/20240627.txt:
#
# > This issue has been assessed as Low severity because applications are
# > most likely to be vulnerable if they are using NPN instead of ALPN -
# > but NPN is not widely used. It also requires an application
# > configuration or programming error. Finally, this issue would not
# > typically be under attacker control making active exploitation
# > unlikely.
- vulnerability: CVE-2024-5535
Reference in a new issue View git blame Copy permalink