# Vulnerability Acceptance Document

This document provides formal acceptance and risk assessment for vulnerabilities identified across Charon releases.

---

## Current Accepted Vulnerabilities (February 2026)

### Debian Trixie Base Image CVEs (Temporary Acceptance)

**Date Accepted**: 2026-02-04
**Reviewed By**: Security Team, QA Team, DevOps Team
**Status**: ACCEPTED (Temporary - Alpine migration in progress)
**Next Review**: 2026-03-05 (or upon Alpine migration completion)
**Target Resolution**: 2026-03-05

#### Overview

7 HIGH severity CVEs identified in Debian Trixie base image packages (glibc, libtasn1, libtiff) with no fixes available from Debian upstream.

**Decision**: Temporary acceptance pending Alpine Linux migration (already planned).

**Rationale**:
- CrowdSec LAPI authentication fix is CRITICAL for production users
- CVEs are in Debian base packages, NOT application code
- CVEs exist in `main` branch (blocking fix provides zero security improvement)
- Alpine migration already on roadmap (moved to high priority)
- Risk level assessed as LOW (no exploit path identified)

**Mitigation Plan**: Full Alpine migration (see `docs/plans/alpine_migration_spec.md`)

**Expected Timeline**:
- Week 1 (Feb 5-8): Verify Alpine CVE-2025-60876 is patched
- Weeks 2-3 (Feb 11-22): Dockerfile migration + testing
- Week 4 (Feb 26-28): Staging validation
- Week 5 (Mar 3-5): Production rollout

**Expected Outcome**: 100% CVE reduction (7 HIGH → 0)

**Detailed Security Advisory**: [`advisory_2026-02-04_debian_cves_temporary.md`](./advisory_2026-02-04_debian_cves_temporary.md)

**Affected CVEs**:
| CVE | CVSS | Package | Status |
|-----|------|---------|--------|
| CVE-2026-0861 | 8.4 | libc6 | No fix available → Alpine migration |
| CVE-2025-13151 | 7.5 | libtasn1-6 | No fix available → Alpine migration |
| CVE-2025-15281 | 7.5 | libc6 | No fix available → Alpine migration |
| CVE-2026-0915 | 7.5 | libc6 | No fix available → Alpine migration |

**Approval Record**:
- **Security Team**: APPROVED (temporary acceptance with mitigation) ✅
- **QA Team**: APPROVED (conditions met) ✅
- **DevOps Team**: APPROVED (Alpine migration feasible) ✅
- **Sign-Off Date**: 2026-02-04

---

## Historical Accepted Vulnerabilities

### PR #461 - Alpine Base Image CVEs (January 2026)

**PR**: [#461 - DNS Challenge Support](https://github.com/Wikid82/Charon/pull/461)
**Date Accepted**: 2026-01-13
**Reviewed By**: Security Team & Engineering
**Status**: ACCEPTED (No fixes available from Alpine upstream)
**Next Review**: 2026-02-13 (30 days)

---

## Executive Summary

PR #461 supply chain scan identified **9 vulnerabilities** in Alpine Linux 3.23.0 base image packages:

- **8 Medium severity CVEs** (3 busybox-related, 5 curl-related)
- **1 Low severity CVE** (curl)

**Decision**: All vulnerabilities are **ACCEPTED** pending upstream Alpine Security Team patches. No application-level vulnerabilities were found.

**Rationale**:
- All CVEs are Alpine OS package issues, not Charon application code
- No patches available from Alpine upstream as of 2026-01-13
- Low exploitability in containerized deployment environment
- Effective mitigation strategies in place
- Active monitoring for upstream patches

---

## Vulnerability Details

### CVE-2025-60876: busybox utilities (3 packages)

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-13
**Severity**: MEDIUM
**CVSS**: 7.5 (Estimated)
**CWE**: CWE-122 (Heap-based Buffer Overflow)

#### Affected Components

- **busybox**: 1.37.0-r20 (Alpine APK)
- **busybox-binsh**: 1.37.0-r20 (Alpine APK)
- **ssl_client**: 1.37.0-r20 (Alpine APK)

#### Vulnerability Description

Heap buffer overflow vulnerability in busybox utilities. The vulnerability exists in the parsing logic of certain busybox commands, potentially allowing memory corruption if specific command patterns are used.

**Attack Vector**: Requires local shell access or specific command execution with attacker-controlled arguments.

#### Risk Assessment

**Exploitability**: **LOW**

- Requires local shell access to container
- Charon does not expose shell access to users via application interface
- Container runs with non-root user (caddy:caddy)
- No busybox commands accept user-controlled input through Charon APIs

**Impact**: **LOW-MEDIUM**

- Potential for command execution or privilege escalation if exploited
- Container isolation limits blast radius
- SELinux/AppArmor policies provide defense-in-depth
- No exposed attack surface through Charon application

**Risk Level**: **LOW** (Low exploitability × Medium impact in isolated environment = Low overall risk)

#### Mitigation Strategies

1. **Container Isolation**: Application runs in isolated Docker container with minimal privileges
2. **Non-Root User**: Container process runs as `caddy:caddy`, not root
3. **No Shell Exposure**: Application does not provide shell access or command execution interfaces
4. **Network Segmentation**: Container network isolated from host and other containers
5. **Read-Only Filesystem**: Application binaries and system files mounted read-only where possible
6. **Capabilities Drop**: Container runs with minimal Linux capabilities (`CAP_NET_BIND_SERVICE` only)

#### Monitoring & Remediation Plan

- **Monitoring Frequency**: Daily checks of Alpine Security advisories
- **Source**: <https://security.alpinelinux.org/vuln/busybox>
- **Alert Trigger**: Patch release for CVE-2025-60876
- **Remediation Action**: Automatic rebuild with updated Alpine base image
- **Review Date**: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

### CVE-2025-15079: curl - HTTP/2 Protocol Handling

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-13
**Severity**: MEDIUM
**CVSS**: 6.5 (Estimated)
**CWE**: CWE-835 (Loop with Unreachable Exit Condition)

#### Affected Components

- **curl**: 8.14.1-r2 (Alpine APK)
- **libcurl**: 8.14.1-r2 (implicit dependency)

#### Vulnerability Description

Denial of Service vulnerability in curl's HTTP/2 protocol handling. A malicious server can cause infinite loop or resource exhaustion in curl client when processing crafted HTTP/2 responses.

**Attack Vector**: Requires curl to connect to malicious HTTP/2 server.

#### Risk Assessment

**Exploitability**: **LOW**

- curl only used for internal healthcheck scripts in Charon
- All curl invocations use hardcoded, internal URLs (`http://localhost:8080`)
- No user-controlled URLs passed to curl
- No external HTTP/2 connections from curl in production

**Impact**: **LOW**

- Could cause healthcheck script to hang or consume CPU
- Container restart resolves issue
- Monitoring detects unhealthy container state
- Application functionality unaffected (healthchecks are auxiliary)

**Risk Level**: **LOW** (Low exploitability × Low impact = Low overall risk)

#### Mitigation Strategies

1. **Hardcoded URLs**: All curl invocations use internal, localhost endpoints only
2. **No User Input**: curl commands never accept user-provided URLs or parameters
3. **Timeout Protection**: Healthcheck scripts include timeout values
4. **Monitoring**: Container health status monitored; automatic restart on failure
5. **Limited Usage**: curl only used for healthchecks; application uses Go HTTP client for real work

#### Monitoring & Remediation Plan

- **Monitoring Frequency**: Daily checks of Alpine and curl security advisories
- **Source**: <https://security.alpinelinux.org/vuln/curl>
- **Alert Trigger**: Patch release for CVE-2025-15079
- **Remediation Action**: Automatic rebuild with updated Alpine base image
- **Review Date**: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

### CVE-2025-14819: curl - TLS Certificate Validation

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-13
**Severity**: MEDIUM
**CVSS**: 6.8 (Estimated)
**CWE**: CWE-295 (Improper Certificate Validation)

#### Affected Components

- **curl**: 8.14.1-r2 (Alpine APK)
- **libcurl**: 8.14.1-r2 (implicit dependency)

#### Vulnerability Description

Improper certificate validation in libcurl when using specific TLS configurations. Under certain conditions, curl may not properly validate certificate chains, potentially allowing man-in-the-middle attacks.

**Attack Vector**: Requires network positioning and crafted TLS certificates.

#### Risk Assessment

**Exploitability**: **LOW**

- curl only used for localhost healthcheck (`http://` not `https://`)
- No TLS connections made by curl in Charon deployment
- Internal network environment (container to localhost)
- No external network access from curl invocations

**Impact**: **LOW**

- No sensitive data transmitted via curl
- Healthcheck endpoints are internal status checks only
- Application uses Go's crypto/tls for all real TLS connections
- curl TLS not used in production deployment

**Risk Level**: **LOW** (Low exploitability × Low impact = Low overall risk)

#### Mitigation Strategies

1. **No TLS Usage**: curl invocations use HTTP, not HTTPS (localhost only)
2. **Internal Network**: curl only connects to localhost (127.0.0.1:8080)
3. **Go HTTP Client**: Application uses Go's standard library for all external HTTPS connections
4. **Network Isolation**: Container network isolated from external networks

#### Monitoring & Remediation Plan

- **Monitoring Frequency**: Daily checks of Alpine and curl security advisories
- **Source**: <https://security.alpinelinux.org/vuln/curl>
- **Alert Trigger**: Patch release for CVE-2025-14819
- **Remediation Action**: Automatic rebuild with updated Alpine base image
- **Review Date**: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

### CVE-2025-14524: curl - Cookie Handling

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-13
**Severity**: MEDIUM
**CVSS**: 5.9 (Estimated)
**CWE**: CWE-200 (Exposure of Sensitive Information)

#### Affected Components

- **curl**: 8.14.1-r2 (Alpine APK)
- **libcurl**: 8.14.1-r2 (implicit dependency)

#### Vulnerability Description

Cookie handling vulnerability in libcurl that may expose cookies to unintended domains under specific redirect scenarios.

**Attack Vector**: Requires malicious server with redirect chains and cookie manipulation.

#### Risk Assessment

**Exploitability**: **LOW**

- curl does not use cookies in Charon deployment
- Healthcheck scripts do not enable cookie handling
- No cookie jar files used
- Internal localhost-only connections

**Impact**: **LOW**

- No cookies used in curl invocations
- Healthcheck endpoints do not set or require cookies
- No sensitive data in curl requests

**Risk Level**: **LOW** (Low exploitability × Low impact = Low overall risk)

#### Mitigation Strategies

1. **No Cookie Usage**: curl invocations do not use `-c` or `-b` flags (no cookie support)
2. **Internal Endpoints**: curl only connects to localhost healthcheck endpoints
3. **No Redirects**: Healthcheck endpoints do not issue redirects
4. **Stateless Checks**: Healthchecks are simple HTTP GET requests without state

#### Monitoring & Remediation Plan

- **Monitoring Frequency**: Daily checks of Alpine and curl security advisories
- **Source**: <https://security.alpinelinux.org/vuln/curl>
- **Alert Trigger**: Patch release for CVE-2025-14524
- **Remediation Action**: Automatic rebuild with updated Alpine base image
- **Review Date**: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

### CVE-2025-13034: curl - URL Parsing

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-13
**Severity**: MEDIUM
**CVSS**: 6.1 (Estimated)
**CWE**: CWE-20 (Improper Input Validation)

#### Affected Components

- **curl**: 8.14.1-r2 (Alpine APK)
- **libcurl**: 8.14.1-r2 (implicit dependency)

#### Vulnerability Description

URL parsing vulnerability that may allow URL injection or filter bypass when parsing specially crafted URLs with unusual schemes or malformed components.

**Attack Vector**: Requires curl to process attacker-controlled URLs with malicious formatting.

#### Risk Assessment

**Exploitability**: **LOW**

- All curl URLs are hardcoded in healthcheck scripts
- No user input accepted for URL construction
- Simple localhost URLs only (`http://localhost:8080/api/v1/health`)
- No URL parsing of external or user-provided data

**Impact**: **LOW**

- Hardcoded URLs are validated at build time
- No dynamic URL construction in curl invocations
- Healthcheck script failure triggers container restart (non-critical)

**Risk Level**: **LOW** (Low exploitability × Low impact = Low overall risk)

#### Mitigation Strategies

1. **Hardcoded URLs**: All curl URLs are string literals in scripts (no variables)
2. **Input Validation**: No external input used in URL construction
3. **Simple URLs**: Only basic HTTP localhost URLs used
4. **Code Review**: Healthcheck scripts reviewed for security

#### Monitoring & Remediation Plan

- **Monitoring Frequency**: Daily checks of Alpine and curl security advisories
- **Source**: <https://security.alpinelinux.org/vuln/curl>
- **Alert Trigger**: Patch release for CVE-2025-13034
- **Remediation Action**: Automatic rebuild with updated Alpine base image
- **Review Date**: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

### CVE-2025-10966: curl - Cookie Domain Bypass

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-13
**Severity**: MEDIUM
**CVSS**: 6.5 (Estimated)
**CWE**: CWE-285 (Improper Authorization)

#### Affected Components

- **curl**: 8.14.1-r2 (Alpine APK)
- **libcurl**: 8.14.1-r2 (implicit dependency)

#### Vulnerability Description

Cookie domain validation bypass allowing cookies to be sent to unintended domains under specific redirect scenarios with domain matching edge cases.

**Attack Vector**: Requires malicious server with crafted Set-Cookie headers and redirect chains.

#### Risk Assessment

**Exploitability**: **LOW**

- curl does not use cookies in Charon deployment
- No cookie jar functionality enabled
- Internal localhost-only connections
- No redirects in healthcheck endpoints

**Impact**: **LOW**

- No cookies stored or transmitted by curl
- Healthcheck scripts are stateless
- No sensitive data in curl requests

**Risk Level**: **LOW** (Low exploitability × Low impact = Low overall risk)

#### Mitigation Strategies

1. **No Cookie Usage**: curl invocations do not enable cookie handling
2. **Internal Network**: curl only connects to localhost (no external domains)
3. **No Redirects**: Healthcheck endpoints return direct responses
4. **Stateless Design**: Healthchecks do not require session state

#### Monitoring & Remediation Plan

- **Monitoring Frequency**: Daily checks of Alpine and curl security advisories
- **Source**: <https://security.alpinelinux.org/vuln/curl>
- **Alert Trigger**: Patch release for CVE-2025-10966
- **Remediation Action**: Automatic rebuild with updated Alpine base image
- **Review Date**: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

### CVE-2025-15224: curl - Information Disclosure

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-13
**Severity**: LOW
**CVSS**: 3.7 (Estimated)
**CWE**: CWE-200 (Exposure of Sensitive Information)

#### Affected Components

- **curl**: 8.14.1-r2 (Alpine APK)
- **libcurl**: 8.14.1-r2 (implicit dependency)

#### Vulnerability Description

Minor information disclosure vulnerability in curl verbose logging that may expose sensitive HTTP headers or metadata in debug output.

**Attack Vector**: Requires verbose logging enabled and access to curl output/logs.

#### Risk Assessment

**Exploitability**: **LOW**

- curl not run with verbose flags in production
- Healthcheck scripts use minimal output
- No sensitive data in healthcheck requests
- Container logs do not expose curl debug output

**Impact**: **LOW**

- Healthcheck requests contain no sensitive information
- Verbose mode not enabled in production scripts
- Container logs filtered and access-controlled

**Risk Level**: **LOW** (Low exploitability × Low impact = Low overall risk)

#### Mitigation Strategies

1. **No Verbose Logging**: curl invocations do not use `-v` or `--verbose` flags
2. **Minimal Output**: Healthcheck scripts capture only exit codes
3. **No Sensitive Data**: Healthcheck requests contain only localhost URLs
4. **Log Access Control**: Container logs require authentication to access

#### Monitoring & Remediation Plan

- **Monitoring Frequency**: Daily checks of Alpine and curl security advisories
- **Source**: <https://security.alpinelinux.org/vuln/curl>
- **Alert Trigger**: Patch release for CVE-2025-15224
- **Remediation Action**: Automatic rebuild with updated Alpine base image
- **Review Date**: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

### CVE-2025-14017: curl - Protocol Downgrade

**Status**: ⚠️ ACCEPTED - Pending Alpine Security Patch
**Date Accepted**: 2026-01-13
**Severity**: MEDIUM
**CVSS**: 6.8 (Estimated)
**CWE**: CWE-757 (Selection of Less-Secure Algorithm During Negotiation)

#### Affected Components

- **curl**: 8.14.1-r2 (Alpine APK)
- **libcurl**: 8.14.1-r2 (implicit dependency)

#### Vulnerability Description

Protocol downgrade vulnerability in curl that may allow downgrade from HTTP/2 to HTTP/1.1 or TLS version downgrade in specific server response scenarios.

**Attack Vector**: Requires man-in-the-middle position or malicious server with protocol negotiation manipulation.

#### Risk Assessment

**Exploitability**: **LOW**

- curl only connects to localhost (no external network path)
- HTTP only (no TLS connections from curl)
- No protocol negotiation in simple healthcheck GET requests
- Internal container network (no MITM possibility)

**Impact**: **LOW**

- Localhost-only connections eliminate MITM attack vector
- No sensitive data transmitted via curl
- Protocol downgrade irrelevant for HTTP localhost connections

**Risk Level**: **LOW** (Low exploitability × Low impact = Low overall risk)

#### Mitigation Strategies

1. **Localhost Only**: curl connects to 127.0.0.1 (no external network path)
2. **HTTP Only**: No TLS connections (protocol downgrade not applicable)
3. **Internal Network**: Container network isolated from external threats
4. **Simple Requests**: Basic HTTP GET requests with no protocol negotiation

#### Monitoring & Remediation Plan

- **Monitoring Frequency**: Daily checks of Alpine and curl security advisories
- **Source**: <https://security.alpinelinux.org/vuln/curl>
- **Alert Trigger**: Patch release for CVE-2025-14017
- **Remediation Action**: Automatic rebuild with updated Alpine base image
- **Review Date**: 2026-02-13 (30 days) or upon patch release, whichever is sooner

---

## Summary Risk Matrix

| CVE ID | Component | Severity | Exploitability | Impact | Overall Risk | Status |
|--------|-----------|----------|----------------|--------|--------------|--------|
| CVE-2025-60876 | busybox (3 pkgs) | MEDIUM | LOW | LOW-MEDIUM | **LOW** | ✅ Accepted |
| CVE-2025-15079 | curl | MEDIUM | LOW | LOW | **LOW** | ✅ Accepted |
| CVE-2025-14819 | curl | MEDIUM | LOW | LOW | **LOW** | ✅ Accepted |
| CVE-2025-14524 | curl | MEDIUM | LOW | LOW | **LOW** | ✅ Accepted |
| CVE-2025-13034 | curl | MEDIUM | LOW | LOW | **LOW** | ✅ Accepted |
| CVE-2025-10966 | curl | MEDIUM | LOW | LOW | **LOW** | ✅ Accepted |
| CVE-2025-15224 | curl | LOW | LOW | LOW | **LOW** | ✅ Accepted |
| CVE-2025-14017 | curl | MEDIUM | LOW | LOW | **LOW** | ✅ Accepted |

**Total**: 9 Alpine OS package CVEs
**Application Code Vulnerabilities**: 0 (Clean)

---

## Continuous Monitoring

### Automated Monitoring

1. **GitHub Dependabot**: Monitors Alpine package updates
2. **Renovate Bot**: Automated PR creation for base image updates
3. **Trivy Scanning**: Weekly security scans in CI/CD (Sunday 02:00 UTC)
4. **Supply Chain Verification**: Runs on every PR and release

### Manual Monitoring

1. **Daily Checks**: Alpine Security Team advisories during active incident periods
2. **Weekly Reviews**: Security team reviews Alpine security feed
3. **Monthly Reviews**: Comprehensive review of all accepted risks (1st Monday)
4. **Quarterly Reviews**: Full risk re-assessment and mitigation strategy evaluation

### Alert Triggers

Immediate escalation if:

- Severity upgraded to HIGH or CRITICAL
- Active exploitation detected in the wild
- CISA KEV (Known Exploited Vulnerabilities) listing
- Public proof-of-concept exploit published
- Regulatory/compliance requirement to remediate

---

## Remediation Timeline

### Expected Upstream Fixes

- **busybox (CVE-2025-60876)**: Awaiting Alpine Security Team patch
- **curl (7 CVEs)**: Awaiting Alpine Security Team patches

### Automatic Remediation Process

1. **Detection**: Renovate Bot detects updated Alpine base image
2. **PR Creation**: Automated PR created with base image update
3. **CI Validation**: Full security scan suite runs
4. **Review**: Security team reviews changes
5. **Merge**: Auto-merge if all checks pass
6. **Deploy**: Automatic release with updated base image

**Estimated Time to Remediation**: < 24 hours after upstream patch release

### Manual Escalation Path

If no patches available after review date (2026-02-13):

1. **Risk Re-Assessment**: Evaluate if risk profile has changed
2. **Alternative Base Images**: Consider Debian slim, distroless, or scratch
3. **Workarounds**: Evaluate removing curl/busybox from final image stage
4. **Accept Extended**: Extend acceptance with updated review date

---

## Compliance & Audit

### Regulatory Considerations

- **NIST SP 800-53**: RA-3 (Risk Assessment), RA-5 (Vulnerability Scanning)
- **ISO 27001**: A.12.6.1 (Management of technical vulnerabilities)
- **CIS Controls**: Control 7 (Continuous Vulnerability Management)
- **SOC 2**: CC7.1 (System Operations - Vulnerability Management)

### Audit Trail

This document provides evidence of:

- Vulnerability identification and assessment
- Risk-based decision making
- Mitigation strategies implementation
- Continuous monitoring process
- Defined remediation timeline

### Approval Record

**Reviewed By**: Security Team & Engineering Director
**Approved By**: Engineering Director
**Date**: 2026-01-13
**Next Review**: 2026-02-13 (30 days)

**Approval Rationale**:

All 9 vulnerabilities are Alpine OS base image packages with no upstream patches available. The assessed risk is LOW across all CVEs due to:

1. Effective containerization and isolation
2. No attack surface exposure through Charon application
3. Hardcoded, internal-only usage of affected utilities
4. Multiple layers of defense-in-depth mitigation
5. Active monitoring and automated remediation process

The decision to accept these risks is consistent with industry best practices for vulnerability management in containerized applications pending upstream security patches.

---

## References

### Official Sources

- [Alpine Linux Security Team](https://security.alpinelinux.org/)
- [Alpine Security Advisories](https://security.alpinelinux.org/vuln)
- [National Vulnerability Database (NVD)](https://nvd.nist.gov/)
- [MITRE CVE Database](https://cve.mitre.org/)
- [CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

### Project Documentation

- [Charon Security Policy](../../SECURITY.md)
- [Supply Chain Security Documentation](./supply-chain-no-cache-solution.md)
- [Accepted Risks (Legacy)](./accepted-risks.md)
- [PR #461 Remediation Plan](../plans/current_spec.md)

### Standards & Frameworks

- [NIST SP 800-53 Rev 5](https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)
- [OWASP Risk Rating Methodology](https://owasp.org/www-community/OWASP_Risk_Rating_Methodology)
- [CIS Controls v8](https://www.cisecurity.org/controls/v8)
- [ISO 27001:2022](https://www.iso.org/standard/27001)

---

**Document Version**: 1.0
**Last Updated**: 2026-01-13
**Next Review**: 2026-02-13