Skip to content

[Aikido] Fix 4 security issues in api-service#13

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-KAN-2052-KAN-2173-KAN-2582-KAN-2611-KAN-2711-KAN-2751container-fix-28686354-7mvm
Open

[Aikido] Fix 4 security issues in api-service#13
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-KAN-2052-KAN-2173-KAN-2582-KAN-2611-KAN-2711-KAN-2751container-fix-28686354-7mvm

Conversation

@aikido-autofix

Copy link
Copy Markdown

Aikido updated the base image from python:3.7-slim to python:3.7-slim

The base image python:3.7-slim was pinned to the latest digest, resolving 1 high-severity and 3 medium-severity vulnerabilities in openssl.

✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2021-23840
HIGH
Integer overflow in EVP cipher functions causes output length argument to become negative, leading to application crashes or incorrect behavior when processing input lengths near the maximum integer value.
CVE-2021-3449
MEDIUM
An OpenSSL TLS server crashes due to a NULL pointer dereference when receiving a maliciously crafted renegotiation ClientHello message that omits the signature_algorithms extension but includes signature_algorithms_cert. This causes a denial of service attack on servers with TLSv1.2 and renegotiation enabled.
CVE-2021-23841
MEDIUM
X509_issuer_and_serial_hash() fails to handle errors when parsing maliciously constructed issuer fields in X509 certificates, causing a NULL pointer dereference and denial of service. The vulnerability only affects applications that directly call this function with untrusted certificates.
CVE-2020-1971
MEDIUM
A NULL pointer dereference in OpenSSL's GENERAL_NAME_cmp function when comparing EDIPartyName types causes a crash, enabling denial of service attacks. An attacker controlling both compared items (e.g., malicious certificate and CRL) can trigger the vulnerability during certificate validation or timestamp verification.
🔗 Related Tasks

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants