apk package
chainguard/configmap-reload-fips-0.11
pkg:apk/chainguard/configmap-reload-fips-0.11
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-45290 | Med | 6.5 | < 0.11.1-r4 | 0.11.1-r4 | Mar 5, 2024 | When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line | |
| CVE-2023-45289 | Med | 4.3 | < 0.11.1-r4 | 0.11.1-r4 | Mar 5, 2024 | When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati | |
| CVE-2023-45285 | — | < 0.11.1-r3 | 0.11.1-r3 | Dec 6, 2023 | Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not | ||
| CVE-2023-39326 | — | < 0.11.1-r3 | 0.11.1-r3 | Dec 6, 2023 | A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d | ||
| CVE-2023-39325 | — | < 0.11.1-r3 | 0.11.1-r3 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 0.11.1-r3 | 0.11.1-r3 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
- affected < 0.11.1-r4fixed 0.11.1-r4
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
- affected < 0.11.1-r4fixed 0.11.1-r4
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
- CVE-2023-45285Dec 6, 2023affected < 0.11.1-r3fixed 0.11.1-r3
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not
- CVE-2023-39326Dec 6, 2023affected < 0.11.1-r3fixed 0.11.1-r3
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d
- CVE-2023-39325Oct 11, 2023affected < 0.11.1-r3fixed 0.11.1-r3
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 0.11.1-r3fixed 0.11.1-r3
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Page 4 of 4