VYPR

apk package

chainguard/cloudflared

pkg:apk/chainguard/cloudflared

Vulnerabilities (52)

  • CVE-2024-24789Jun 5, 2024
    affected < 2024.1.0-r11fixed 2024.1.0-r11

    The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac

  • CVE-2024-24790Jun 5, 2024
    affected < 2024.1.0-r11fixed 2024.1.0-r11

    The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

  • CVE-2024-24788MedMay 8, 2024
    affected < 2024.1.0-r10fixed 2024.1.0-r10

    A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

  • CVE-2024-24787MedMay 8, 2024
    affected < 2024.1.0-r10fixed 2024.1.0-r10

    On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

  • CVE-2024-0874MedApr 25, 2024
    affected < 2024.1.0-r9fixed 2024.1.0-r9

    A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.

  • CVE-2023-45288HigApr 4, 2024
    affected < 2024.1.0-r8fixed 2024.1.0-r8

    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma

  • CVE-2024-22189HigApr 4, 2024
    affected < 2024.1.0-r7fixed 2024.1.0-r7

    quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of `NEW_CONNECTION_ID` frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame

  • CVE-2024-28180Mar 9, 2024
    affected < 2024.1.0-r4fixed 2024.1.0-r4

    Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret

  • CVE-2024-24786HigMar 5, 2024
    affected < 2024.1.0-r5fixed 2024.1.0-r5

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2023-48795MedDec 18, 2023
    affected < 2024.1.0-r1fixed 2024.1.0-r1

    The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end

  • CVE-2023-45284Nov 9, 2023
    affected < 0fixed 0

    On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr

  • CVE-2023-45283Nov 9, 2023
    affected < 0fixed 0

    The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,

Page 3 of 3