apk package

chainguard/argo-workflow-controller

pkg:apk/chainguard/argo-workflow-controller

Vulnerabilities (67)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-45338	Med	5.3	< 3.6.2-r2	3.6.2-r2	Dec 18, 2024	An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2024-45337	Cri	9.1	< 3.6.2-r1	3.6.2-r1	Dec 12, 2024	Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-52798	Hig	—	< 3.6.2-r1	3.6.2-r1	Dec 5, 2024	path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path
CVE-2024-53862		—	< 3.6.2-r0	3.6.2-r0	Dec 2, 2024	Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`
CVE-2024-21538	Hig	7.5	< 3.6.0-r1	3.6.0-r1	Nov 8, 2024	Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted
CVE-2024-51744	Low	3.1	< 3.5.12-r1	3.5.12-r1	Nov 4, 2024	golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
CVE-2024-21536		—	< 3.6.5-r2	3.6.5-r2	Oct 19, 2024	Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to
CVE-2024-47875		—	< 3.6.0-r0	3.6.0-r0	Oct 11, 2024	DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
CVE-2024-47764	Med	—	< 3.6.0-r1	3.6.0-r1	Oct 4, 2024	cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo
CVE-2024-45801		—	< 3.6.0-r0	3.6.0-r0	Sep 16, 2024	DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollut
CVE-2024-45590		—	< 3.6.5-r2	3.6.5-r2	Sep 10, 2024	body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is
CVE-2024-43800		—	< 3.6.5-r2	3.6.5-r2	Sep 10, 2024	serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
CVE-2024-43799		—	< 3.6.5-r2	3.6.5-r2	Sep 10, 2024	Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
CVE-2024-43796		—	< 3.6.5-r2	3.6.5-r2	Sep 10, 2024	Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
CVE-2024-45296	Hig	7.5	< 3.6.0-r1	3.6.0-r1	Sep 9, 2024	path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will
CVE-2024-34158	Hig	7.5	< 3.6.5-r2	3.6.5-r2	Sep 6, 2024	Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156	Hig	7.5	< 3.6.5-r2	3.6.5-r2	Sep 6, 2024	Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155	Med	4.3	< 3.6.5-r2	3.6.5-r2	Sep 6, 2024	Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-43788		—	< 3.6.0-r0	3.6.0-r0	Aug 27, 2024	Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s
CVE-2024-39338		—	< 3.6.5-r2	3.6.5-r2	Aug 9, 2024	axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

CVE-2024-45338MedDec 18, 2024
affected < 3.6.2-r2fixed 3.6.2-r2
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2024-45337CriDec 12, 2024
affected < 3.6.2-r1fixed 3.6.2-r1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-52798HigDec 5, 2024
affected < 3.6.2-r1fixed 3.6.2-r1
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path
CVE-2024-53862Dec 2, 2024
affected < 3.6.2-r0fixed 3.6.2-r0
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}`
CVE-2024-21538HigNov 8, 2024
affected < 3.6.0-r1fixed 3.6.0-r1
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted
CVE-2024-51744LowNov 4, 2024
affected < 3.5.12-r1fixed 3.5.12-r1
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
CVE-2024-21536Oct 19, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to
CVE-2024-47875Oct 11, 2024
affected < 3.6.0-r0fixed 3.6.0-r0
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
CVE-2024-47764MedOct 4, 2024
affected < 3.6.0-r1fixed 3.6.0-r1
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo
CVE-2024-45801Sep 16, 2024
affected < 3.6.0-r0fixed 3.6.0-r0
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollut
CVE-2024-45590Sep 10, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is
CVE-2024-43800Sep 10, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
CVE-2024-43799Sep 10, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
CVE-2024-43796Sep 10, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
CVE-2024-45296HigSep 9, 2024
affected < 3.6.0-r1fixed 3.6.0-r1
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will
CVE-2024-34158HigSep 6, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156HigSep 6, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155MedSep 6, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-43788Aug 27, 2024
affected < 3.6.0-r0fixed 3.6.0-r0
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s
CVE-2024-39338Aug 9, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Page 2 of 4