apk package

chainguard/consul-k8s-fips-1.4-cli

pkg:apk/chainguard/consul-k8s-fips-1.4-cli

Vulnerabilities (67)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-58186	Med	5.3	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
CVE-2025-58183	Med	4.3	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
CVE-2025-61724		—	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
CVE-2025-58188		—	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
CVE-2025-58185		—	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
CVE-2025-47912		—	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse
CVE-2025-61723		—	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
CVE-2025-58189		—	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
CVE-2025-58187		—	< 1.4.10-r6	1.4.10-r6	Oct 29, 2025	Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
CVE-2025-55198		—	< 1.4.10-r5	1.4.10-r5	Aug 13, 2025	Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatt
CVE-2025-55199		—	< 1.4.10-r5	1.4.10-r5	Aug 13, 2025	Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A work
CVE-2025-47907		—	< 1.4.10-r4	1.4.10-r4	Aug 7, 2025	Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
CVE-2025-54410		—	< 1.4.10-r25	1.4.10-r25	Jul 30, 2025	Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail
CVE-2025-53547		—	< 1.4.10-r2	1.4.10-r2	Jul 8, 2025	Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo
CVE-2025-22872	Med	6.5	< 1.4.9-r3	1.4.9-r3	Apr 16, 2025	The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-32386		—	< 1.4.10-r25	1.4.10-r25	Apr 9, 2025	Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to
CVE-2025-32387		—	< 1.4.10-r25	1.4.10-r25	Apr 9, 2025	Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm v3.1
CVE-2025-22871	Cri	9.1	< 1.4.9-r1	1.4.9-r1	Apr 8, 2025	The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVE-2024-40635		—	< 1.4.8-r10	1.4.8-r10	Mar 17, 2025	containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult
CVE-2025-22868		—	< 1.4.8-r6	1.4.8-r6	Feb 26, 2025	An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

CVE-2025-58186MedOct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
CVE-2025-58183MedOct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r
CVE-2025-61724Oct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.
CVE-2025-58188Oct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.
CVE-2025-58185Oct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.
CVE-2025-47912Oct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse
CVE-2025-61723Oct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.
CVE-2025-58189Oct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.
CVE-2025-58187Oct 29, 2025
affected < 1.4.10-r6fixed 1.4.10-r6
Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.
CVE-2025-55198Aug 13, 2025
affected < 1.4.10-r5fixed 1.4.10-r5
Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatt
CVE-2025-55199Aug 13, 2025
affected < 1.4.10-r5fixed 1.4.10-r5
Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A work
CVE-2025-47907Aug 7, 2025
affected < 1.4.10-r4fixed 1.4.10-r4
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
CVE-2025-54410Jul 30, 2025
affected < 1.4.10-r25fixed 1.4.10-r25
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail
CVE-2025-53547Jul 8, 2025
affected < 1.4.10-r2fixed 1.4.10-r2
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo
CVE-2025-22872MedApr 16, 2025
affected < 1.4.9-r3fixed 1.4.9-r3
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-32386Apr 9, 2025
affected < 1.4.10-r25fixed 1.4.10-r25
Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to
CVE-2025-32387Apr 9, 2025
affected < 1.4.10-r25fixed 1.4.10-r25
Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm v3.1
CVE-2025-22871CriApr 8, 2025
affected < 1.4.9-r1fixed 1.4.9-r1
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVE-2024-40635Mar 17, 2025
affected < 1.4.8-r10fixed 1.4.8-r10
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult
CVE-2025-22868Feb 26, 2025
affected < 1.4.8-r6fixed 1.4.8-r6
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

Page 3 of 4