apk package
chainguard/cni-plugins-fips-dhcp
pkg:apk/chainguard/cni-plugins-fips-dhcp
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61724 | — | < 1.8.0-r1 | 1.8.0-r1 | Oct 29, 2025 | The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. | ||
| CVE-2025-58188 | — | < 1.8.0-r1 | 1.8.0-r1 | Oct 29, 2025 | Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. | ||
| CVE-2025-58185 | — | < 1.8.0-r1 | 1.8.0-r1 | Oct 29, 2025 | Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. | ||
| CVE-2025-47912 | — | < 1.8.0-r1 | 1.8.0-r1 | Oct 29, 2025 | The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse | ||
| CVE-2025-61723 | — | < 1.8.0-r1 | 1.8.0-r1 | Oct 29, 2025 | The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. | ||
| CVE-2025-58189 | — | < 1.8.0-r1 | 1.8.0-r1 | Oct 29, 2025 | When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. | ||
| CVE-2025-58187 | — | < 1.8.0-r1 | 1.8.0-r1 | Oct 29, 2025 | Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. | ||
| CVE-2025-47907 | — | < 0 | 0 | Aug 7, 2025 | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex | ||
| CVE-2025-22872 | Med | 6.5 | < 1.6.2-r7 | 1.6.2-r7 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-22871 | Cri | 9.1 | < 1.6.2-r5 | 1.6.2-r5 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2025-22866 | Med | 4.0 | < 1.6.2-r2 | 1.6.2-r2 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover | |
| CVE-2024-45338 | Med | 5.3 | < 1.6.1-r1 | 1.6.1-r1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-34158 | Hig | 7.5 | < 1.5.1-r2 | 1.5.1-r2 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |
| CVE-2024-34156 | Hig | 7.5 | < 1.5.1-r2 | 1.5.1-r2 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 1.5.1-r2 | 1.5.1-r2 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | |
| CVE-2024-24791 | Hig | 7.5 | < 1.5.1-r1 | 1.5.1-r1 | Jul 2, 2024 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co | |
| CVE-2024-24789 | — | < 1.5.0-r1 | 1.5.0-r1 | Jun 5, 2024 | The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac | ||
| CVE-2024-24790 | — | < 1.5.0-r1 | 1.5.0-r1 | Jun 5, 2024 | The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. | ||
| CVE-2024-24785 | Med | 5.4 | < 1.4.0-r2 | 1.4.0-r2 | Mar 5, 2024 | If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. | |
| CVE-2024-24784 | Hig | 7.5 | < 1.4.0-r2 | 1.4.0-r2 | Mar 5, 2024 | The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. |
- CVE-2025-61724Oct 29, 2025affected < 1.8.0-r1fixed 1.8.0-r1
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
- CVE-2025-58188Oct 29, 2025affected < 1.8.0-r1fixed 1.8.0-r1
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
- CVE-2025-58185Oct 29, 2025affected < 1.8.0-r1fixed 1.8.0-r1
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
- CVE-2025-47912Oct 29, 2025affected < 1.8.0-r1fixed 1.8.0-r1
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse
- CVE-2025-61723Oct 29, 2025affected < 1.8.0-r1fixed 1.8.0-r1
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
- CVE-2025-58189Oct 29, 2025affected < 1.8.0-r1fixed 1.8.0-r1
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
- CVE-2025-58187Oct 29, 2025affected < 1.8.0-r1fixed 1.8.0-r1
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
- CVE-2025-47907Aug 7, 2025affected < 0fixed 0
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
- affected < 1.6.2-r7fixed 1.6.2-r7
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 1.6.2-r5fixed 1.6.2-r5
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 1.6.2-r2fixed 1.6.2-r2
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
- affected < 1.6.1-r1fixed 1.6.1-r1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 1.5.1-r2fixed 1.5.1-r2
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- affected < 1.5.1-r2fixed 1.5.1-r2
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 1.5.1-r2fixed 1.5.1-r2
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
- affected < 1.5.1-r1fixed 1.5.1-r1
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
- CVE-2024-24789Jun 5, 2024affected < 1.5.0-r1fixed 1.5.0-r1
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac
- CVE-2024-24790Jun 5, 2024affected < 1.5.0-r1fixed 1.5.0-r1
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
- affected < 1.4.0-r2fixed 1.4.0-r2
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
- affected < 1.4.0-r2fixed 1.4.0-r2
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
Page 3 of 4