apk package
chainguard/cloudbeat-fips-9.2
pkg:apk/chainguard/cloudbeat-fips-9.2
Vulnerabilities (57)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-53492 | hig | — | < 9.2.8-r7 | 9.2.8-r7 | Jun 19, 2026 | ### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations fro | |
| CVE-2026-53489 | hig | — | < 9.2.8-r7 | 9.2.8-r7 | Jun 19, 2026 | ### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the following | |
| CVE-2026-53488 | hig | — | < 9.2.8-r8 | 9.2.8-r8 | Jun 19, 2026 | ### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels f | |
| CVE-2026-50195 | — | < 9.2.8-r7 | 9.2.8-r7 | Jun 19, 2026 | ## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to | ||
| CVE-2026-47262 | — | < 9.2.8-r8 | 9.2.8-r8 | Jun 19, 2026 | ### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the contai | ||
| CVE-2026-41178 | Med | 5.3 | < 9.2.8-r9 | 9.2.8-r9 | Jun 4, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss | |
| CVE-2026-42507 | Med | 5.3 | < 9.2.8-r5 | 9.2.8-r5 | Jun 2, 2026 | When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. | |
| CVE-2026-42504 | Hig | 7.5 | < 9.2.8-r5 | 9.2.8-r5 | Jun 2, 2026 | Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. | |
| CVE-2026-27145 | Med | 6.5 | < 9.2.8-r5 | 9.2.8-r5 | Jun 2, 2026 | (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic | |
| CVE-2026-45571 | Med | 5.4 | < 9.2.8-r3 | 9.2.8-r3 | May 27, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These v | |
| CVE-2026-45570 | Cri | 9.6 | < 9.2.8-r3 | 9.2.8-r3 | May 27, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A reposito | |
| CVE-2026-45022 | Hig | 7.5 | < 9.2.8-r1 | 9.2.8-r1 | May 27, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representa | |
| CVE-2026-46680 | hig | — | < 9.2.8-r3 | 9.2.8-r3 | May 21, 2026 | ### Impact A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the con | |
| CVE-2026-44503 | Hig | — | < 9.2.7-r13 | 9.2.7-r13 | May 14, 2026 | The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Co | |
| CVE-2026-41506 | Med | 4.7 | < 9.2.7-r9 | 9.2.7-r9 | May 8, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 | |
| CVE-2026-42501 | Hig | 7.5 | < 9.2.7-r14 | 9.2.7-r14 | May 7, 2026 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser | |
| CVE-2026-42499 | Hig | 7.5 | < 9.2.7-r14 | 9.2.7-r14 | May 7, 2026 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | |
| CVE-2026-39836 | Hig | 7.5 | < 9.2.7-r14 | 9.2.7-r14 | May 7, 2026 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | |
| CVE-2026-39826 | Med | 6.1 | < 9.2.7-r14 | 9.2.7-r14 | May 7, 2026 | If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block. | |
| CVE-2026-39825 | Med | 5.3 | < 0 | 0 | May 7, 2026 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa |
- affected < 9.2.8-r7fixed 9.2.8-r7
### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations fro
- affected < 9.2.8-r7fixed 9.2.8-r7
### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the following
- affected < 9.2.8-r8fixed 9.2.8-r8
### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels f
- CVE-2026-50195Jun 19, 2026affected < 9.2.8-r7fixed 9.2.8-r7
## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to
- CVE-2026-47262Jun 19, 2026affected < 9.2.8-r8fixed 9.2.8-r8
### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the contai
- affected < 9.2.8-r9fixed 9.2.8-r9
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss
- affected < 9.2.8-r5fixed 9.2.8-r5
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
- affected < 9.2.8-r5fixed 9.2.8-r5
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
- affected < 9.2.8-r5fixed 9.2.8-r5
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic
- affected < 9.2.8-r3fixed 9.2.8-r3
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These v
- affected < 9.2.8-r3fixed 9.2.8-r3
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A reposito
- affected < 9.2.8-r1fixed 9.2.8-r1
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representa
- affected < 9.2.8-r3fixed 9.2.8-r3
### Impact A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the con
- affected < 9.2.7-r13fixed 9.2.7-r13
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. Only the Authorization header is removed; Co
- affected < 9.2.7-r9fixed 9.2.7-r9
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0
- affected < 9.2.7-r14fixed 9.2.7-r14
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
- affected < 9.2.7-r14fixed 9.2.7-r14
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
- affected < 9.2.7-r14fixed 9.2.7-r14
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
- affected < 9.2.7-r14fixed 9.2.7-r14
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
- affected < 0fixed 0
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
Page 1 of 3