Try to Fix Seemingly Missing Build Attestations

[JLP04]

For some reason, it looks like build attestations aren't working properly. This PR attempts to fix that by storing them in the index, besides just storing them in the manifest.

[github-actions]

Your image	ghcr.io/jlp04/elevation-generator:test
Current base image	debian:latest

[github-actions]

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	sha256:4b50cf72886c5239f9bedafb8dbd3d8265f65c06b9bc3b93b3c2fe010a365a98
vulnerabilities
platform	linux/386
size	9.6 GB
packages	956

📦 Base Image debian:424d1fae59bf25f894bff59899426ff2f6bae3fb99129be9dbaa77fca9b2d12a

also known as	latest trixie trixie-20251103
digest	sha256:fdb7185061695712ee2e582b69af7380a06e8a2fa2bd98d9a886a1bf2d97aad7
vulnerabilities

stdlib 1.24.7 (golang) pkg:golang/stdlib@1.24.7 # Dockerfile (241:241) RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.041% EPSS Percentile 12th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 6th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm) pkg:npm/jquery-ui@1.11.2 # Dockerfile (227:227) COPY --from=build /tmp/install /flightgear/script/dnc-managed/install Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 22.087% EPSS Percentile 96th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 2.341% EPSS Percentile 84th percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 19.260% EPSS Percentile 95th percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 10.939% EPSS Percentile 93rd percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 1.383% EPSS Percentile 80th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.11.4 Fixed version 1.12.0 Description jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

[github-actions]

Recommended fixes for image (linux/386) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name	424d1fae59bf25f894bff59899426ff2f6bae3fb99129be9dbaa77fca9b2d12a
Digest	sha256:fdb7185061695712ee2e582b69af7380a06e8a2fa2bd98d9a886a1bf2d97aad7
Vulnerabilities
Pushed	1 week ago
Size	51 MB
Packages	111

The base image is also available under the supported tag(s): trixie, trixie-20251103

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Overview

Image reference	jlp04/elevation-generator:latest	ghcr.io/jlp04/elevation-generator:test
- digest	4fa5833b1db7	4b50cf72886c
- tag	latest	test
- provenance	https://github.com/JLP04/docker-elevation-generator.git#700a62ec6c22e8b2e497d732ec57ede592cc8395/commit/700a62ec6c22e8b2e497d732ec57ede592cc8395	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/7/merge/commit/cffad264cbfe82416ed2b96d3ecf1efe30212ab9
- vulnerabilities
- platform	linux/386	linux/386
- size	9.6 GB	9.6 GB (+5.5 MB)
- packages	956	956
Base Image	debian:latest also known as: • trixie • trixie-20251103	debian:latest also known as: • trixie • trixie-20251103
- vulnerabilities

[github-actions]

Your image	ghcr.io/jlp04/elevation-generator:test
Current base image	debian:latest

[github-actions]

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	sha256:56ad3126815b313e8e1d0296b95b8ca7b559df49d7b6badf3e1a81483c169a5a
vulnerabilities
platform	linux/amd64
size	9.6 GB
packages	960

📦 Base Image debian:latest

also known as	trixie trixie-20251103
digest	sha256:75a32e5b9e4aecc3454bab811b66fb98c8a44679915cf93f7d47370f6a7fb643
vulnerabilities

stdlib 1.24.7 (golang) pkg:golang/stdlib@1.24.7 # Dockerfile (241:241) RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.041% EPSS Percentile 12th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 6th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm) pkg:npm/jquery-ui@1.11.2 # Dockerfile (227:227) COPY --from=build /tmp/install /flightgear/script/dnc-managed/install Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 22.087% EPSS Percentile 96th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 2.341% EPSS Percentile 84th percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 19.260% EPSS Percentile 95th percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 10.939% EPSS Percentile 93rd percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 1.383% EPSS Percentile 80th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.11.4 Fixed version 1.12.0 Description jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

[github-actions]

Recommended fixes for image (linux/amd64) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name	latest
Digest	sha256:75a32e5b9e4aecc3454bab811b66fb98c8a44679915cf93f7d47370f6a7fb643
Vulnerabilities
Pushed	1 week ago
Size	49 MB
Packages	111

The base image is also available under the supported tag(s): trixie, trixie-20251103

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Overview

Image reference	jlp04/elevation-generator:latest	ghcr.io/jlp04/elevation-generator:test
- digest	9e778ba9b2b1	56ad3126815b
- tag	latest	test
- provenance	https://github.com/JLP04/docker-elevation-generator.git#700a62ec6c22e8b2e497d732ec57ede592cc8395/commit/700a62ec6c22e8b2e497d732ec57ede592cc8395	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/7/merge/commit/cffad264cbfe82416ed2b96d3ecf1efe30212ab9
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	9.6 GB	9.6 GB (+5.5 MB)
- packages	960	960
Base Image	debian:latest also known as: • trixie • trixie-20251103	debian:latest also known as: • trixie • trixie-20251103
- vulnerabilities

[github-actions]

Your image	ghcr.io/jlp04/elevation-generator:test
Current base image	debian:latest

[github-actions]

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	sha256:5e4fb3cc966b39d2779fef7d5c9e17a7d508dc66338e18ff14065a9604956e5b
vulnerabilities
platform	linux/arm/v5
size	9.6 GB
packages	944

📦 Base Image debian:13

also known as	13.1 latest trixie trixie-20251103
digest	sha256:3ca8f9d6767b24a595e9d7b48da467be6eee8e1865537c202fc0425749e0ca58
vulnerabilities

stdlib 1.24.7 (golang) pkg:golang/stdlib@1.24.7 # Dockerfile (241:241) RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.041% EPSS Percentile 12th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 6th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm) pkg:npm/jquery-ui@1.11.2 # Dockerfile (227:227) COPY --from=build /tmp/install /flightgear/script/dnc-managed/install Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 22.087% EPSS Percentile 96th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 2.341% EPSS Percentile 84th percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 19.260% EPSS Percentile 95th percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 10.939% EPSS Percentile 93rd percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 1.383% EPSS Percentile 80th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.11.4 Fixed version 1.12.0 Description jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

[github-actions]

Recommended fixes for image (linux/arm/v5) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name	13.1
Digest	sha256:3ca8f9d6767b24a595e9d7b48da467be6eee8e1865537c202fc0425749e0ca58
Vulnerabilities
Pushed	1 week ago
Size	47 MB
Packages	112
OS	13.1

The base image is also available under the supported tag(s): 13, 13.1, trixie, trixie-20251103

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Overview

Image reference	jlp04/elevation-generator:latest	ghcr.io/jlp04/elevation-generator:test
- digest	5b56b79fcf47	5e4fb3cc966b
- tag	latest	test
- provenance	https://github.com/JLP04/docker-elevation-generator.git#700a62ec6c22e8b2e497d732ec57ede592cc8395/commit/700a62ec6c22e8b2e497d732ec57ede592cc8395	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/7/merge/commit/cffad264cbfe82416ed2b96d3ecf1efe30212ab9
- vulnerabilities
- platform	linux/arm	linux/arm
- size	9.6 GB	9.6 GB (+5.5 MB)
- packages	944	944
Base Image	debian:latest also known as: • 13 • 13.1 • trixie • trixie-20251103	debian:latest also known as: • 13 • 13.1 • trixie • trixie-20251103
- vulnerabilities

[github-actions]

Your image	ghcr.io/jlp04/elevation-generator:test
Current base image	debian:latest

[github-actions]

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	sha256:d6700809ef762b3d1074a645ab5b201326ec9b211cadc0a4243a72a54890ee49
vulnerabilities
platform	linux/arm/v7
size	9.6 GB
packages	943

📦 Base Image debian:13

also known as	13.1 latest trixie trixie-20251103
digest	sha256:53108ecebd894f991437a620f41ff80251ebdb3ae3cf63ee8ea759a1bfa2787f
vulnerabilities

stdlib 1.24.7 (golang) pkg:golang/stdlib@1.24.7 # Dockerfile (241:241) RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.041% EPSS Percentile 12th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 6th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm) pkg:npm/jquery-ui@1.11.2 # Dockerfile (227:227) COPY --from=build /tmp/install /flightgear/script/dnc-managed/install Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 22.087% EPSS Percentile 96th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 2.341% EPSS Percentile 84th percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 19.260% EPSS Percentile 95th percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 10.939% EPSS Percentile 93rd percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 1.383% EPSS Percentile 80th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.11.4 Fixed version 1.12.0 Description jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

[github-actions]

Recommended fixes for image (linux/arm/v7) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name	13.1
Digest	sha256:53108ecebd894f991437a620f41ff80251ebdb3ae3cf63ee8ea759a1bfa2787f
Vulnerabilities
Pushed	1 week ago
Size	46 MB
Packages	111
OS	13.1

The base image is also available under the supported tag(s): 13, 13.1, trixie, trixie-20251103

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Overview

Image reference	jlp04/elevation-generator:latest	ghcr.io/jlp04/elevation-generator:test
- digest	016ca1db45e2	d6700809ef76
- tag	latest	test
- provenance	https://github.com/JLP04/docker-elevation-generator.git#700a62ec6c22e8b2e497d732ec57ede592cc8395/commit/700a62ec6c22e8b2e497d732ec57ede592cc8395	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/7/merge/commit/cffad264cbfe82416ed2b96d3ecf1efe30212ab9
- vulnerabilities
- platform	linux/arm	linux/arm
- size	9.6 GB	9.6 GB (+5.5 MB)
- packages	943	943
Base Image	debian:latest also known as: • 13 • 13.1 • trixie • trixie-20251103	debian:latest also known as: • 13 • 13.1 • trixie • trixie-20251103
- vulnerabilities

[github-actions]

Your image	ghcr.io/jlp04/elevation-generator:test
Current base image	debian:latest

[github-actions]

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	sha256:19275a171c708ac12bdc3fc43b098f226314f9704bab33f1c272f1e1b579896b
vulnerabilities
platform	linux/arm64
size	9.6 GB
packages	957

📦 Base Image debian:latest

also known as	trixie trixie-20251103
digest	sha256:a43fe46cf3e88c667433fc9e6bc35b27373b412b9e3c6bc95ddada26174f1937
vulnerabilities

stdlib 1.24.7 (golang) pkg:golang/stdlib@1.24.7 # Dockerfile (241:241) RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.041% EPSS Percentile 12th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 6th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm) pkg:npm/jquery-ui@1.11.2 # Dockerfile (227:227) COPY --from=build /tmp/install /flightgear/script/dnc-managed/install Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 22.087% EPSS Percentile 96th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 2.341% EPSS Percentile 84th percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 19.260% EPSS Percentile 95th percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 10.939% EPSS Percentile 93rd percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 1.383% EPSS Percentile 80th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.11.4 Fixed version 1.12.0 Description jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

[github-actions]

Recommended fixes for image (linux/arm64) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name	latest
Digest	sha256:a43fe46cf3e88c667433fc9e6bc35b27373b412b9e3c6bc95ddada26174f1937
Vulnerabilities
Pushed	1 week ago
Size	50 MB
Packages	111

The base image is also available under the supported tag(s): trixie, trixie-20251103

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Overview

Image reference	jlp04/elevation-generator:latest	ghcr.io/jlp04/elevation-generator:test
- digest	9fb40b1492b8	19275a171c70
- tag	latest	test
- provenance	https://github.com/JLP04/docker-elevation-generator.git#700a62ec6c22e8b2e497d732ec57ede592cc8395/commit/700a62ec6c22e8b2e497d732ec57ede592cc8395	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/7/merge/commit/cffad264cbfe82416ed2b96d3ecf1efe30212ab9
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	9.6 GB	9.6 GB (+5.5 MB)
- packages	957	957
Base Image	debian:latest also known as: • trixie • trixie-20251103	debian:latest also known as: • trixie • trixie-20251103
- vulnerabilities

[github-actions]

Your image	ghcr.io/jlp04/elevation-generator:test
Current base image	debian:latest

[github-actions]

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	sha256:9f12b326bac4905cccafc62e9beafdf5e81b085711b109dedecb50a5d4b8f9fa
vulnerabilities
platform	linux/ppc64le
size	9.6 GB
packages	953

📦 Base Image debian:8fd9e4e10ab117ebaf4867b6496fe63cae2596222618425256271e5f42ced1fc

also known as	latest trixie trixie-20251103
digest	sha256:0f58361a4815f7a9649a1f77952ad2ed8f50f92c9023463dacf3e12963abbbe3
vulnerabilities

stdlib 1.24.4 (golang) pkg:golang/stdlib@1.24.4 # Dockerfile (241:241) RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.025% EPSS Percentile 6th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.041% EPSS Percentile 12th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 6th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm) pkg:npm/jquery-ui@1.11.2 # Dockerfile (227:227) COPY --from=build /tmp/install /flightgear/script/dnc-managed/install Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 22.087% EPSS Percentile 96th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 2.341% EPSS Percentile 84th percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 19.260% EPSS Percentile 95th percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 10.939% EPSS Percentile 93rd percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 1.383% EPSS Percentile 80th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.11.4 Fixed version 1.12.0 Description jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

[github-actions]

Recommended fixes for image (linux/ppc64le) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name	8fd9e4e10ab117ebaf4867b6496fe63cae2596222618425256271e5f42ced1fc
Digest	sha256:0f58361a4815f7a9649a1f77952ad2ed8f50f92c9023463dacf3e12963abbbe3
Vulnerabilities
Pushed	1 week ago
Size	53 MB
Packages	111

The base image is also available under the supported tag(s): trixie, trixie-20251103

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Overview

Image reference	jlp04/elevation-generator:latest	ghcr.io/jlp04/elevation-generator:test
- digest	4367e2cf17f6	9f12b326bac4
- tag	latest	test
- provenance	https://github.com/JLP04/docker-elevation-generator.git#700a62ec6c22e8b2e497d732ec57ede592cc8395/commit/700a62ec6c22e8b2e497d732ec57ede592cc8395	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/7/merge/commit/cffad264cbfe82416ed2b96d3ecf1efe30212ab9
- vulnerabilities
- platform	linux/ppc64le	linux/ppc64le
- size	9.6 GB	9.6 GB (+5.5 MB)
- packages	953	953
Base Image	debian:latest also known as: • trixie • trixie-20251103	debian:latest also known as: • trixie • trixie-20251103
- vulnerabilities

[github-actions]

Your image	ghcr.io/jlp04/elevation-generator:test
Current base image	debian:latest

[github-actions]

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	sha256:c411a9131c1b69efc17a63e85f3bdbad5df7c2573fc505b04b985cdb6cf1bde3
vulnerabilities
platform	linux/riscv64
size	9.6 GB
packages	948

📦 Base Image debian:13

also known as	latest trixie trixie-20251103
digest	sha256:a7dab94b6405638d58aeebb570f4416ad811edd004071a07f29fb2a09ccd77ef
vulnerabilities

stdlib 1.24.4 (golang) pkg:golang/stdlib@1.24.4 # Dockerfile (241:241) RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.025% EPSS Percentile 6th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.041% EPSS Percentile 12th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 6th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm) pkg:npm/jquery-ui@1.11.2 # Dockerfile (227:227) COPY --from=build /tmp/install /flightgear/script/dnc-managed/install Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 22.087% EPSS Percentile 96th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 2.341% EPSS Percentile 84th percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 19.260% EPSS Percentile 95th percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 10.939% EPSS Percentile 93rd percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 1.383% EPSS Percentile 80th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.11.4 Fixed version 1.12.0 Description jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

[github-actions]

Recommended fixes for image (linux/riscv64) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name	13
Digest	sha256:a7dab94b6405638d58aeebb570f4416ad811edd004071a07f29fb2a09ccd77ef
Vulnerabilities
Pushed	1 week ago
Size	48 MB
Packages	109
OS	13

The base image is also available under the supported tag(s): 13, trixie, trixie-20251103

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Overview

Image reference	jlp04/elevation-generator:latest	ghcr.io/jlp04/elevation-generator:test
- digest	c5f98e5dcff3	c411a9131c1b
- tag	latest	test
- provenance	https://github.com/JLP04/docker-elevation-generator.git#700a62ec6c22e8b2e497d732ec57ede592cc8395/commit/700a62ec6c22e8b2e497d732ec57ede592cc8395	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/7/merge/commit/cffad264cbfe82416ed2b96d3ecf1efe30212ab9
- vulnerabilities
- platform	linux/riscv64	linux/riscv64
- size	9.6 GB	9.6 GB (+5.5 MB)
- packages	948	948
Base Image	debian:latest also known as: • 13 • trixie • trixie-20251103	debian:latest also known as: • 13 • trixie • trixie-20251103
- vulnerabilities

[github-actions]

Your image	ghcr.io/jlp04/elevation-generator:test
Current base image	debian:latest

[github-actions]

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	sha256:0ed52c0a54c534103cd64d8a735b71fbff8a7a3f924b4c0d85eec139e0b678a0
vulnerabilities
platform	linux/s390x
size	9.6 GB
packages	947

📦 Base Image debian:latest

also known as	trixie trixie-20251103
digest	sha256:6282a9e915c6b788d34c888712050ae07d54d556ca0fd80e599d94c208a90034
vulnerabilities

stdlib 1.24.4 (golang) pkg:golang/stdlib@1.24.4 # Dockerfile (241:241) RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.075% EPSS Percentile 23rd percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scals non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.025% EPSS Percentile 6th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.041% EPSS Percentile 12th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.055% EPSS Percentile 17th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.027% EPSS Percentile 6th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.054% EPSS Percentile 17th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.016% EPSS Percentile 3rd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm) pkg:npm/jquery-ui@1.11.2 # Dockerfile (227:227) COPY --from=build /tmp/install /flightgear/script/dnc-managed/install Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 22.087% EPSS Percentile 96th percentile Description Impact Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code: $( "#element" ).position( { my: "left top", at: "right bottom", of: "<img onerror='doEvilThing()' src='/404' />", collision: "none" } ); will call the doEvilThing() function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the of option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 2.341% EPSS Percentile 84th percentile Description Impact Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { showButtonPanel: true, showOn: "both", closeText: "<script>doEvilThing( 'closeText XSS' )</script>", currentText: "<script>doEvilThing( 'currentText XSS' )</script>", prevText: "<script>doEvilThing( 'prevText XSS' )</script>", nextText: "<script>doEvilThing( 'nextText XSS' )</script>", buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>", appendText: "<script>doEvilThing( 'appendText XSS' )</script>", } ); will call doEvilThing with 6 different parameters coming from all *Text options. Patches The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. Workarounds A workaround is to not accept the value of the *Text options from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.0 Fixed version 1.13.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N EPSS Score 19.260% EPSS Percentile 95th percentile Description Impact Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way: $( "#datepicker" ).datepicker( { altField: "<img onerror='doEvilThing()' src='/404' />", } ); will call the doEvilThing function. Patches The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. Workarounds A workaround is to not accept the value of the altField option from untrusted sources. For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.13.2 Fixed version 1.13.2 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 10.939% EPSS Percentile 93rd percentile Description Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code. For example, starting with the following initial secure HTML: <label> <input id="test-input"> &lt;img src=x onerror="alert(1)"&gt; </label> and calling: $( "#test-input" ).checkboxradio(); $( "#test-input" ).checkboxradio( "refresh" ); will turn the initial HTML into: <label> <!-- some jQuery UI elements --> <input id="test-input"> <img src=x onerror="alert(1)"> </label> and the alert will get executed. Patches The bug has been patched in jQuery UI 1.13.2. Workarounds To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span: <label> <input id="test-input"> <span>&lt;img src=x onerror="alert(1)"&gt;</span> </label> References https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ For more information If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <1.12.0 Fixed version 1.12.0 CVSS Score 6.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N EPSS Score 1.383% EPSS Percentile 80th percentile Description Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function. jQuery-UI is a library for manipulating UI elements via jQuery. Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector. Recommendation Upgrade to jQuery-UI 1.12.0 or later. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=1.11.4 Fixed version 1.12.0 Description jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

[github-actions]

Recommended fixes for image (linux/s390x) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name	latest
Digest	sha256:6282a9e915c6b788d34c888712050ae07d54d556ca0fd80e599d94c208a90034
Vulnerabilities
Pushed	1 week ago
Size	49 MB
Packages	111

The base image is also available under the supported tag(s): trixie, trixie-20251103

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

[github-actions]

Overview

Image reference	jlp04/elevation-generator:latest	ghcr.io/jlp04/elevation-generator:test
- digest	4f94dc434e53	0ed52c0a54c5
- tag	latest	test
- provenance	https://github.com/JLP04/docker-elevation-generator.git#700a62ec6c22e8b2e497d732ec57ede592cc8395/commit/700a62ec6c22e8b2e497d732ec57ede592cc8395	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/7/merge/commit/cffad264cbfe82416ed2b96d3ecf1efe30212ab9
- vulnerabilities
- platform	linux/s390x	linux/s390x
- size	9.6 GB	9.6 GB (+5.5 MB)
- packages	947	947
Base Image	debian:latest also known as: • trixie • trixie-20251103	debian:latest also known as: • trixie • trixie-20251103
- vulnerabilities