Vulnerability Reportnginxdemos/hello:0.2

nginxdemos/hello:0.2

DIGESTsha256:08eb7b72ee3057fafffd69873072db4ec64064f859c953088a6048bfc3142c7b

Executive Summary

Threat ScoreDANGEROUS• High-severity CVE-2023-44487 (HTTP/2 Rapid Reset) with EPSS 0.99999 and severity 9.75, directly exploitable on nginx without special configuration, enabling denial of service.• 7 exposed vulnerabilities with severity >= 7.0 (max 9.75), including CVE-2023-0286, CVE-2023-0464, and CVE-2023-0215, increasing attack surface.• Post-exploit vulnerabilities (87 total) are all low severity (max 5.28), but do not reduce the critical risk from exposed surface.• Image is a popular community nginx demo (350M+ pulls) but pinned digest does not mitigate unpatched vulnerabilities.• CVE-2023-44487 requires no authentication or special configuration; an attacker can exhaust server resources via rapid stream resets.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (350M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could trigger a denial of service via HTTP/2 Rapid Reset (CVE-2023-44487), potentially exhausting server resources and causing downtime. While this is the most severe finding, there are 6 additional exposed vulnerabilities with severity >=7.5, including multiple OpenSSL issues (e.g., CVE-2023-0464) that could be exploited if specific configurations are enabled. Note that some vulnerabilities (like CVE-2023-0286) require non-default CRL checking, but the critical CVE-2023-44487 is exploitable by default. Updating the base image or applying patches is mandatory before any deployment.

Vulnerabilities

Vulnerability Log

115 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2023-44487	CRITICAL9.75	nghttp2-libs 1.46.0-r0 fixed in 1.46.0-r2	100.0% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2023-0286	HIGH7.7	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1t-r0	59.5% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-0286	HIGH7.7	libssl1.1 1.1.1n-r0 fixed in 1.1.1t-r0	59.5% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-0464	HIGH7.5	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1t-r2	3.7% Low-Moderate Risk	Directly Exposed
CVE-2023-0215	HIGH7.5	libssl1.1 1.1.1n-r0 fixed in 1.1.1t-r0	4.5% Low-Moderate Risk	Directly Exposed
CVE-2023-0464	HIGH7.5	libssl1.1 1.1.1n-r0 fixed in 1.1.1t-r2	3.7% Low-Moderate Risk	Directly Exposed
CVE-2023-35945	HIGH7.5	nghttp2-libs 1.46.0-r0 fixed in 1.46.0-r1	1.1% Low-Moderate Risk	Directly Exposed
CVE-2022-4304	MEDIUM6.79	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1t-r0	16.2% High Exploitation Risk	Directly Exposed
CVE-2022-4304	MEDIUM6.79	libssl1.1 1.1.1n-r0 fixed in 1.1.1t-r0	16.2% High Exploitation Risk	Directly Exposed
CVE-2023-2650	MEDIUM6.76	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1u-r0	77.9% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2023-2650	MEDIUM6.76	libssl1.1 1.1.1n-r0 fixed in 1.1.1u-r0	77.9% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-29824	MEDIUM6.5	libxml2 2.9.13-r0 fixed in 2.9.14-r0	3.4% Low-Moderate Risk	Directly Exposed
CVE-2023-1999	MEDIUM6.38	libwebp 1.2.2-r0 fixed in 1.2.2-r1	1.0% Theoretical Threat	Directly Exposed
CVE-2022-41409	MEDIUM6.38	pcre2 10.39-r0 fixed in 10.42-r0	1.0% Theoretical Threat	Directly Exposed
CVE-2022-2097	MEDIUM5.3	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1q-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2023-0465	MEDIUM5.3	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1t-r2	1.6% Low-Moderate Risk	Directly Exposed
CVE-2023-3446	MEDIUM5.3	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1u-r2	5.5% Low-Moderate Risk	Directly Exposed
CVE-2023-3817	MEDIUM5.3	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1v-r0	2.6% Low-Moderate Risk	Directly Exposed
CVE-2023-5678	MEDIUM5.3	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1w-r1	4.5% Low-Moderate Risk	Directly Exposed
CVE-2022-2097	MEDIUM5.3	libssl1.1 1.1.1n-r0 fixed in 1.1.1q-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2023-0465	MEDIUM5.3	libssl1.1 1.1.1n-r0 fixed in 1.1.1t-r2	1.6% Low-Moderate Risk	Directly Exposed
CVE-2023-3446	MEDIUM5.3	libssl1.1 1.1.1n-r0 fixed in 1.1.1u-r2	5.5% Low-Moderate Risk	Directly Exposed
CVE-2023-3817	MEDIUM5.3	libssl1.1 1.1.1n-r0 fixed in 1.1.1v-r0	2.6% Low-Moderate Risk	Directly Exposed
CVE-2023-5678	MEDIUM5.3	libssl1.1 1.1.1n-r0 fixed in 1.1.1w-r1	4.5% Low-Moderate Risk	Directly Exposed
CVE-2023-27533	MEDIUM5.28	curl 7.80.0-r0 fixed in 8.0.1-r0	2.0% Low-Moderate Risk	Post-Exploit
CVE-2023-27534	MEDIUM5.28	curl 7.80.0-r0 fixed in 8.0.1-r0	2.2% Low-Moderate Risk	Post-Exploit
CVE-2023-27533	MEDIUM5.28	libcurl 7.80.0-r0 fixed in 8.0.1-r0	2.0% Low-Moderate Risk	Post-Exploit
CVE-2023-27534	MEDIUM5.28	libcurl 7.80.0-r0 fixed in 8.0.1-r0	2.2% Low-Moderate Risk	Post-Exploit
CVE-2022-43551	MEDIUM5.17	curl 7.80.0-r0 fixed in 7.80.0-r5	17.0% High Exploitation Risk	Post-Exploit
CVE-2022-43551	MEDIUM5.17	libcurl 7.80.0-r0 fixed in 7.80.0-r5	17.0% High Exploitation Risk	Post-Exploit
CVE-2022-22576	MEDIUM4.86	curl 7.80.0-r0 fixed in 7.80.0-r1	1.9% Low-Moderate Risk	Post-Exploit
CVE-2022-42915	MEDIUM4.86	curl 7.80.0-r0 fixed in 7.80.0-r4	2.9% Low-Moderate Risk	Post-Exploit
CVE-2022-22576	MEDIUM4.86	libcurl 7.80.0-r0 fixed in 7.80.0-r1	1.9% Low-Moderate Risk	Post-Exploit
CVE-2022-42915	MEDIUM4.86	libcurl 7.80.0-r0 fixed in 7.80.0-r4	2.9% Low-Moderate Risk	Post-Exploit
CVE-2023-23914	MEDIUM4.64	curl 7.80.0-r0 fixed in 7.80.0-r6	0.9% Theoretical Threat	Post-Exploit
CVE-2023-23914	MEDIUM4.64	libcurl 7.80.0-r0 fixed in 7.80.0-r6	0.9% Theoretical Threat	Post-Exploit
CVE-2023-38545	MEDIUM4.58	curl 7.80.0-r0 fixed in 8.4.0-r0	78.5% Actively Exploited	Post-Exploit
CVE-2023-38545	MEDIUM4.58	libcurl 7.80.0-r0 fixed in 8.4.0-r0	78.5% Actively Exploited	Post-Exploit
CVE-2022-27775	MEDIUM4.5	curl 7.80.0-r0 fixed in 7.80.0-r1	2.8% Low-Moderate Risk	Post-Exploit
CVE-2022-27780	MEDIUM4.5	curl 7.80.0-r0 fixed in 7.80.0-r2	2.2% Low-Moderate Risk	Post-Exploit
CVE-2022-27781	MEDIUM4.5	curl 7.80.0-r0 fixed in 7.80.0-r2	2.4% Low-Moderate Risk	Post-Exploit
CVE-2022-27782	MEDIUM4.5	curl 7.80.0-r0 fixed in 7.80.0-r2	2.6% Low-Moderate Risk	Post-Exploit
CVE-2022-42916	MEDIUM4.5	curl 7.80.0-r0 fixed in 7.80.0-r4	1.6% Low-Moderate Risk	Post-Exploit
CVE-2023-28319	MEDIUM4.5	curl 7.80.0-r0 fixed in 8.1.0-r0	2.5% Low-Moderate Risk	Post-Exploit
CVE-2022-27775	MEDIUM4.5	libcurl 7.80.0-r0 fixed in 7.80.0-r1	2.8% Low-Moderate Risk	Post-Exploit
CVE-2022-27780	MEDIUM4.5	libcurl 7.80.0-r0 fixed in 7.80.0-r2	2.2% Low-Moderate Risk	Post-Exploit
CVE-2022-27781	MEDIUM4.5	libcurl 7.80.0-r0 fixed in 7.80.0-r2	2.4% Low-Moderate Risk	Post-Exploit
CVE-2022-27782	MEDIUM4.5	libcurl 7.80.0-r0 fixed in 7.80.0-r2	2.6% Low-Moderate Risk	Post-Exploit
CVE-2022-42916	MEDIUM4.5	libcurl 7.80.0-r0 fixed in 7.80.0-r4	1.6% Low-Moderate Risk	Post-Exploit
CVE-2023-28319	MEDIUM4.5	libcurl 7.80.0-r0 fixed in 8.1.0-r0	2.5% Low-Moderate Risk	Post-Exploit
CVE-2022-32206	MEDIUM4.48	curl 7.80.0-r0 fixed in 7.80.0-r2	32.0% High Exploitation Risk	Post-Exploit
CVE-2022-32206	MEDIUM4.48	libcurl 7.80.0-r0 fixed in 7.80.0-r2	32.0% High Exploitation Risk	Post-Exploit
CVE-2023-4863	MEDIUM4.12	libwebp 1.2.2-r0 fixed in 1.2.2-r2	99.7% Actively Exploited	Post-Exploit
CVE-2022-37434	MEDIUM4.06	zlib 1.2.11-r3 fixed in 1.2.12-r2	15.9% High Exploitation Risk	Post-Exploit
CVE-2022-27776	LOW3.9	curl 7.80.0-r0 fixed in 7.80.0-r1	3.4% Low-Moderate Risk	Post-Exploit
CVE-2023-23916	LOW3.9	curl 7.80.0-r0 fixed in 7.80.0-r6	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-46218	LOW3.9	curl 7.80.0-r0 fixed in 8.5.0-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2022-27776	LOW3.9	libcurl 7.80.0-r0 fixed in 7.80.0-r1	3.4% Low-Moderate Risk	Post-Exploit
CVE-2023-23916	LOW3.9	libcurl 7.80.0-r0 fixed in 7.80.0-r6	1.7% Low-Moderate Risk	Post-Exploit
CVE-2023-46218	LOW3.9	libcurl 7.80.0-r0 fixed in 8.5.0-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2022-32208	LOW3.54	curl 7.80.0-r0 fixed in 7.80.0-r2	5.6% Low-Moderate Risk	Post-Exploit
CVE-2022-43552	LOW3.54	curl 7.80.0-r0 fixed in 7.80.0-r5	2.5% Low-Moderate Risk	Post-Exploit
CVE-2023-27535	LOW3.54	curl 7.80.0-r0 fixed in 8.0.1-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2023-27536	LOW3.54	curl 7.80.0-r0 fixed in 8.0.1-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2023-27537	LOW3.54	curl 7.80.0-r0 fixed in 8.0.1-r0	1.9% Low-Moderate Risk	Post-Exploit
CVE-2023-28320	LOW3.54	curl 7.80.0-r0 fixed in 8.1.0-r0	2.7% Low-Moderate Risk	Post-Exploit
CVE-2023-28321	LOW3.54	curl 7.80.0-r0 fixed in 8.1.0-r0	1.8% Low-Moderate Risk	Post-Exploit
CVE-2022-32208	LOW3.54	libcurl 7.80.0-r0 fixed in 7.80.0-r2	5.6% Low-Moderate Risk	Post-Exploit
CVE-2022-43552	LOW3.54	libcurl 7.80.0-r0 fixed in 7.80.0-r5	2.5% Low-Moderate Risk	Post-Exploit
CVE-2023-27535	LOW3.54	libcurl 7.80.0-r0 fixed in 8.0.1-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2023-27536	LOW3.54	libcurl 7.80.0-r0 fixed in 8.0.1-r0	1.6% Low-Moderate Risk	Post-Exploit
CVE-2023-27537	LOW3.54	libcurl 7.80.0-r0 fixed in 8.0.1-r0	1.9% Low-Moderate Risk	Post-Exploit
CVE-2023-28320	LOW3.54	libcurl 7.80.0-r0 fixed in 8.1.0-r0	2.7% Low-Moderate Risk	Post-Exploit
CVE-2023-28321	LOW3.54	libcurl 7.80.0-r0 fixed in 8.1.0-r0	1.8% Low-Moderate Risk	Post-Exploit
CVE-2022-32207	LOW3.53	curl 7.80.0-r0 fixed in 7.80.0-r2	5.5% Low-Moderate Risk	Post-Exploit
CVE-2022-32221	LOW3.53	curl 7.80.0-r0 fixed in 7.80.0-r4	4.3% Low-Moderate Risk	Post-Exploit
CVE-2022-27404	LOW3.53	freetype 2.11.0-r0 fixed in 2.11.1-r1	2.6% Low-Moderate Risk	Post-Exploit
CVE-2022-32207	LOW3.53	libcurl 7.80.0-r0 fixed in 7.80.0-r2	5.5% Low-Moderate Risk	Post-Exploit
CVE-2022-32221	LOW3.53	libcurl 7.80.0-r0 fixed in 7.80.0-r4	4.3% Low-Moderate Risk	Post-Exploit
CVE-2023-38039	LOW3.51	curl 7.80.0-r0 fixed in 8.3.0-r0	62.2% Actively Exploited	Post-Exploit
CVE-2023-38039	LOW3.51	libcurl 7.80.0-r0 fixed in 8.3.0-r0	62.2% Actively Exploited	Post-Exploit
CVE-2018-25032	LOW3.51	zlib 1.2.11-r3 fixed in 1.2.12-r0	51.7% Actively Exploited	Post-Exploit
CVE-2022-27774	LOW3.42	curl 7.80.0-r0 fixed in 7.80.0-r1	1.6% Low-Moderate Risk	Post-Exploit
CVE-2022-27774	LOW3.42	libcurl 7.80.0-r0 fixed in 7.80.0-r1	1.6% Low-Moderate Risk	Post-Exploit
CVE-2023-23915	LOW3.31	curl 7.80.0-r0 fixed in 7.80.0-r6	0.9% Theoretical Threat	Post-Exploit
CVE-2023-23915	LOW3.31	libcurl 7.80.0-r0 fixed in 7.80.0-r6	0.9% Theoretical Threat	Post-Exploit
CVE-2023-27538	LOW3.3	curl 7.80.0-r0 fixed in 8.0.1-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2023-27538	LOW3.3	libcurl 7.80.0-r0 fixed in 8.0.1-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2022-1586	LOW3.28	pcre2 10.39-r0 fixed in 10.40-r0	3.0% Low-Moderate Risk	Post-Exploit
CVE-2022-1587	LOW3.28	pcre2 10.39-r0 fixed in 10.40-r0	2.4% Low-Moderate Risk	Post-Exploit
CVE-2023-46219	LOW3.18	curl 7.80.0-r0 fixed in 8.5.0-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2023-46219	LOW3.18	libcurl 7.80.0-r0 fixed in 8.5.0-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2022-28391	LOW3.17	busybox 1.34.1-r4 fixed in 1.34.1-r5	3.5% Low-Moderate Risk	Post-Exploit
CVE-2022-28391	LOW3.17	ssl_client 1.34.1-r4 fixed in 1.34.1-r5	3.5% Low-Moderate Risk	Post-Exploit
CVE-2022-1271	LOW3.17	xz-libs 5.2.5-r0 fixed in 5.2.5-r1	4.3% Low-Moderate Risk	Post-Exploit
CVE-2022-4450	LOW3.1	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1t-r0	20.4% High Exploitation Risk	Post-Exploit
CVE-2022-4450	LOW3.1	libssl1.1 1.1.1n-r0 fixed in 1.1.1t-r0	20.4% High Exploitation Risk	Post-Exploit
CVE-2022-40303	LOW3.1	libxml2 2.9.13-r0 fixed in 2.9.14-r2	24.2% High Exploitation Risk	Post-Exploit
CVE-2022-32205	LOW2.97	curl 7.80.0-r0 fixed in 7.80.0-r2	26.9% High Exploitation Risk	Post-Exploit
CVE-2022-32205	LOW2.97	libcurl 7.80.0-r0 fixed in 7.80.0-r2	26.9% High Exploitation Risk	Post-Exploit
CVE-2022-40304	LOW2.81	libxml2 2.9.13-r0 fixed in 2.9.14-r2	6.8% Low-Moderate Risk	Post-Exploit
CVE-2022-27405	LOW2.7	freetype 2.11.0-r0 fixed in 2.11.1-r2	2.2% Low-Moderate Risk	Post-Exploit
CVE-2022-27406	LOW2.7	freetype 2.11.0-r0 fixed in 2.11.1-r2	2.5% Low-Moderate Risk	Post-Exploit
CVE-2023-0215	LOW2.7	libcrypto1.1 1.1.1n-r0 fixed in 1.1.1t-r0	4.5% Low-Moderate Risk	Post-Exploit
CVE-2022-2309	LOW2.7	libxml2 2.9.13-r0 fixed in 2.9.14-r1	2.0% Low-Moderate Risk	Post-Exploit
CVE-2022-35252	LOW2.22	curl 7.80.0-r0 fixed in 7.80.0-r3	1.8% Low-Moderate Risk	Post-Exploit
CVE-2023-28322	LOW2.22	curl 7.80.0-r0 fixed in 8.1.0-r0	2.2% Low-Moderate Risk	Post-Exploit
CVE-2023-38546	LOW2.22	curl 7.80.0-r0 fixed in 8.4.0-r0	6.2% Low-Moderate Risk	Post-Exploit
CVE-2022-35252	LOW2.22	libcurl 7.80.0-r0 fixed in 7.80.0-r3	1.8% Low-Moderate Risk	Post-Exploit
CVE-2023-28322	LOW2.22	libcurl 7.80.0-r0 fixed in 8.1.0-r0	2.2% Low-Moderate Risk	Post-Exploit
CVE-2023-38546	LOW2.22	libcurl 7.80.0-r0 fixed in 8.4.0-r0	6.2% Low-Moderate Risk	Post-Exploit
CVE-2023-29491	NONE0	ncurses-libs 6.3_p20211120-r0 fixed in 6.3_p20211120-r2	0.9% Theoretical Threat	Not Applicable
CVE-2023-29491	NONE0	ncurses-terminfo-base 6.3_p20211120-r0 fixed in 6.3_p20211120-r2	0.9% Theoretical Threat	Not Applicable
CVE-2022-29458	NONE0	ncurses-libs 6.3_p20211120-r0 fixed in 6.3_p20211120-r1	1.3% Low-Moderate Risk	Not Applicable
CVE-2022-29458	NONE0	ncurses-terminfo-base 6.3_p20211120-r0 fixed in 6.3_p20211120-r1	1.3% Low-Moderate Risk	Not Applicable