apk package

chainguard/argo-workflow-executor-compat

pkg:apk/chainguard/argo-workflow-executor-compat

Vulnerabilities (67)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-41110	Cri	9.9	< 3.6.5-r2	3.6.5-r2	Jul 24, 2024	Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood
CVE-2024-24791	Hig	7.5	< 3.6.5-r2	3.6.5-r2	Jul 2, 2024	The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
CVE-2023-24531	Cri	9.8	< 3.6.5-r2	3.6.5-r2	Jul 2, 2024	Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variabl
CVE-2024-37890	Hig	7.5	< 3.6.5-r2	3.6.5-r2	Jun 17, 2024	ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e
CVE-2024-35255		—	< 3.5.7-r2	3.5.7-r2	Jun 11, 2024	Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
CVE-2024-24789		—	< 3.6.5-r2	3.6.5-r2	Jun 5, 2024	The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac
CVE-2024-24790		—	< 3.6.5-r2	3.6.5-r2	Jun 5, 2024	The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE-2024-4068		—	< 3.6.5-r2	3.6.5-r2	May 13, 2024	The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program
CVE-2024-4067		—	< 3.6.0-r1	3.6.0-r1	May 13, 2024	The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching w
CVE-2024-24787	Med	6.4	< 3.6.5-r2	3.6.5-r2	May 8, 2024	On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
CVE-2023-45288	Hig	7.5	< 3.6.5-r2	3.6.5-r2	Apr 4, 2024	An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-29041		—	< 3.6.5-r2	3.6.5-r2	Mar 25, 2024	Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres
CVE-2024-29180		—	< 3.6.5-r2	3.6.5-r2	Mar 21, 2024	Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can eithe
CVE-2024-28180		—	< 3.5.5-r2	3.5.5-r2	Mar 9, 2024	Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
CVE-2024-27304	Cri	9.8	< 3.5.5-r3	3.5.5-r3	Mar 6, 2024	pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the atta
CVE-2024-27289	Hig	8.1	< 3.5.5-r3	3.5.5-r3	Mar 6, 2024	pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second
CVE-2024-24786	Hig	7.5	< 3.5.5-r4	3.5.5-r4	Mar 5, 2024	The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24785	Med	5.4	< 3.6.5-r2	3.6.5-r2	Mar 5, 2024	If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
CVE-2024-24784	Hig	7.5	< 3.6.5-r2	3.6.5-r2	Mar 5, 2024	The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
CVE-2024-24783	Med	5.9	< 3.6.5-r2	3.6.5-r2	Mar 5, 2024	Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul

CVE-2024-41110CriJul 24, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood
CVE-2024-24791HigJul 2, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
CVE-2023-24531CriJul 2, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variabl
CVE-2024-37890HigJun 17, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e
CVE-2024-35255Jun 11, 2024
affected < 3.5.7-r2fixed 3.5.7-r2
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
CVE-2024-24789Jun 5, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac
CVE-2024-24790Jun 5, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
CVE-2024-4068May 13, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program
CVE-2024-4067May 13, 2024
affected < 3.6.0-r1fixed 3.6.0-r1
The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching w
CVE-2024-24787MedMay 8, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
CVE-2023-45288HigApr 4, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-29041Mar 25, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres
CVE-2024-29180Mar 21, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. The middleware can eithe
CVE-2024-28180Mar 9, 2024
affected < 3.5.5-r2fixed 3.5.5-r2
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
CVE-2024-27304CriMar 6, 2024
affected < 3.5.5-r3fixed 3.5.5-r3
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the atta
CVE-2024-27289HigMar 6, 2024
affected < 3.5.5-r3fixed 3.5.5-r3
pgx is a PostgreSQL driver and toolkit for Go. Prior to version 4.18.2, SQL injection can occur when all of the following conditions are met: the non-default simple protocol is used; a placeholder for a numeric value must be immediately preceded by a minus; there must be a second
CVE-2024-24786HigMar 5, 2024
affected < 3.5.5-r4fixed 3.5.5-r4
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24785MedMar 5, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
CVE-2024-24784HigMar 5, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
CVE-2024-24783MedMar 5, 2024
affected < 3.6.5-r2fixed 3.6.5-r2
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul

Page 3 of 4