apk package

chainguard/cloudbeat-fips-8.17

pkg:apk/chainguard/cloudbeat-fips-8.17

Vulnerabilities (67)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-39820	Hig	7.5	< 8.17.10-r22	8.17.10-r22	May 7, 2026	Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819	Med	5.3	< 8.17.10-r22	8.17.10-r22	May 7, 2026	The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817	Med	5.9	< 8.17.10-r22	8.17.10-r22	May 7, 2026	The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814	Hig	7.5	< 8.17.10-r22	8.17.10-r22	May 7, 2026	When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811	Hig	7.5	< 8.17.10-r22	8.17.10-r22	May 7, 2026	When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-32952	Med	5.3	< 8.17.10-r21	8.17.10-r21	Apr 24, 2026	go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc
CVE-2026-35469	Hig	—	< 8.17.10-r19	8.17.10-r19	Apr 16, 2026	spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,
CVE-2026-39883	Hig	7.0	< 8.17.10-r18	8.17.10-r18	Apr 8, 2026	OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-33817		—	< 0	0	Apr 6, 2026	Rejected reason: CVE confirmed to be a false positive
CVE-2026-34986	Hig	7.5	< 8.17.10-r18	8.17.10-r18	Apr 6, 2026	Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-34165	Med	5.0	< 8.17.10-r18	8.17.10-r18	Mar 31, 2026	go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
CVE-2026-33762	Low	2.8	< 8.17.10-r18	8.17.10-r18	Mar 31, 2026	go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
CVE-2026-33186	Cri	9.1	< 8.17.10-r17	8.17.10-r17	Mar 20, 2026	gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
CVE-2026-27142	Med	6.1	< 8.17.10-r15	8.17.10-r15	Mar 6, 2026	Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139	Low	2.5	< 8.17.10-r15	8.17.10-r15	Mar 6, 2026	On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679	Hig	7.5	< 8.17.10-r15	8.17.10-r15	Mar 6, 2026	url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2025-15558		—	< 8.17.10-r14	8.17.10-r14	Mar 4, 2026	Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
CVE-2026-1229		—	< 8.17.10-r11	8.17.10-r11	Feb 24, 2026	The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2026-2303	Med	6.5	< 8.17.10-r30	8.17.10-r30	Feb 10, 2026	The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI b
CVE-2026-25934		—	< 8.17.10-r9	8.17.10-r9	Feb 9, 2026	go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,

CVE-2026-39820HigMay 7, 2026
affected < 8.17.10-r22fixed 8.17.10-r22
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
CVE-2026-39819MedMay 7, 2026
affected < 8.17.10-r22fixed 8.17.10-r22
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
CVE-2026-39817MedMay 7, 2026
affected < 8.17.10-r22fixed 8.17.10-r22
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
CVE-2026-33814HigMay 7, 2026
affected < 8.17.10-r22fixed 8.17.10-r22
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVE-2026-33811HigMay 7, 2026
affected < 8.17.10-r22fixed 8.17.10-r22
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
CVE-2026-32952MedApr 24, 2026
affected < 8.17.10-r21fixed 8.17.10-r21
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc
CVE-2026-35469HigApr 16, 2026
affected < 8.17.10-r19fixed 8.17.10-r19
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,
CVE-2026-39883HigApr 8, 2026
affected < 8.17.10-r18fixed 8.17.10-r18
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
CVE-2026-33817Apr 6, 2026
affected < 0fixed 0
Rejected reason: CVE confirmed to be a false positive
CVE-2026-34986HigApr 6, 2026
affected < 8.17.10-r18fixed 8.17.10-r18
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
CVE-2026-34165MedMar 31, 2026
affected < 8.17.10-r18fixed 8.17.10-r18
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
CVE-2026-33762LowMar 31, 2026
affected < 8.17.10-r18fixed 8.17.10-r18
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
CVE-2026-33186CriMar 20, 2026
affected < 8.17.10-r17fixed 8.17.10-r17
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
CVE-2026-27142MedMar 6, 2026
affected < 8.17.10-r15fixed 8.17.10-r15
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
CVE-2026-27139LowMar 6, 2026
affected < 8.17.10-r15fixed 8.17.10-r15
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
CVE-2026-25679HigMar 6, 2026
affected < 8.17.10-r15fixed 8.17.10-r15
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
CVE-2025-15558Mar 4, 2026
affected < 8.17.10-r14fixed 8.17.10-r14
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
CVE-2026-1229Feb 24, 2026
affected < 8.17.10-r11fixed 8.17.10-r11
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
CVE-2026-2303MedFeb 10, 2026
affected < 8.17.10-r30fixed 8.17.10-r30
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI b
CVE-2026-25934Feb 9, 2026
affected < 8.17.10-r9fixed 8.17.10-r9
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,

Page 2 of 4