Snyk - Open Source Security

Snyk test report

October 5th 2025, 12:33:48 am (UTC+00:00)

Scanned the following paths:
  • public.ecr.aws/docker/library/redis:7.0.15-alpine/docker/library/redis (apk)
  • public.ecr.aws/docker/library/redis:7.0.15-alpine/tianon/gosu//usr/local/bin/gosu (gomodules)
7 known vulnerabilities
65 vulnerable dependency paths
18 dependencies

CVE-2025-9230

low severity
  • Package Manager: alpine:3.20
  • Vulnerable module: openssl/libcrypto3
  • Introduced through: docker-image|public.ecr.aws/docker/library/[email protected] and openssl/[email protected]

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Alpine:3.20 openssl to version 3.3.5-r0 or higher.

References

More about this vulnerability

CVE-2025-9231

low severity
  • Package Manager: alpine:3.20
  • Vulnerable module: openssl/libcrypto3
  • Introduced through: docker-image|public.ecr.aws/docker/library/[email protected] and openssl/[email protected]

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms.

Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker..

While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack.

OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.

Remediation

Upgrade Alpine:3.20 openssl to version 3.3.5-r0 or higher.

References

More about this vulnerability

CVE-2025-9232

low severity
  • Package Manager: alpine:3.20
  • Vulnerable module: openssl/libcrypto3
  • Introduced through: docker-image|public.ecr.aws/docker/library/[email protected] and openssl/[email protected]

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

Issue summary: An application using the OpenSSL HTTP client API functions may trigger an out-of-bounds read if the 'no_proxy' environment variable is set and the host portion of the authority component of the HTTP URL is an IPv6 address.

Impact summary: An out-of-bounds read can trigger a crash which leads to Denial of Service for an application.

The OpenSSL HTTP client API functions can be used directly by applications but they are also used by the OCSP client functions and CMP (Certificate Management Protocol) client implementation in OpenSSL. However the URLs used by these implementations are unlikely to be controlled by an attacker.

In this vulnerable code the out of bounds read can only trigger a crash. Furthermore the vulnerability requires an attacker-controlled URL to be passed from an application to the OpenSSL function and the user has to have a 'no_proxy' environment variable set. For the aforementioned reasons the issue was assessed as Low severity.

The vulnerable code was introduced in the following patch releases: 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the HTTP client implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade Alpine:3.20 openssl to version 3.3.5-r0 or higher.

References

More about this vulnerability

CVE-2024-9143

low severity
  • Package Manager: alpine:3.20
  • Vulnerable module: openssl/libcrypto3
  • Introduced through: docker-image|public.ecr.aws/docker/library/[email protected] and openssl/[email protected]

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes.

Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low.

In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding.

The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions.

Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Alpine:3.20 openssl to version 3.3.2-r3 or higher.

References

More about this vulnerability

CVE-2024-13176

low severity
  • Package Manager: alpine:3.20
  • Vulnerable module: openssl/libcrypto3
  • Introduced through: docker-image|public.ecr.aws/docker/library/[email protected] and openssl/[email protected]

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Remediation

Upgrade Alpine:3.20 openssl to version 3.3.2-r2 or higher.

References

More about this vulnerability

CVE-2024-12797

low severity
  • Package Manager: alpine:3.20
  • Vulnerable module: openssl/libcrypto3
  • Introduced through: docker-image|public.ecr.aws/docker/library/[email protected] and openssl/[email protected]

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set.

Impact summary: TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients.

RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that then rely on the handshake to fail when the server's RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER.

Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected. This issue was introduced in the initial implementation of RPK support in OpenSSL 3.2.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

Upgrade Alpine:3.20 openssl to version 3.3.3-r0 or higher.

References

More about this vulnerability

CVE-2025-26519

low severity

Detailed paths

NVD Description

Note: Versions mentioned in the description apply only to the upstream musl package and not the musl package as distributed by Alpine. See How to fix? for Alpine:3.20 relevant fixed versions and status.

musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.

Remediation

Upgrade Alpine:3.20 musl to version 1.2.5-r1 or higher.

References

More about this vulnerability