VYPR

apk package

chainguard/datadog-agent-fips-7.77

pkg:apk/chainguard/datadog-agent-fips-7.77

Vulnerabilities (55)

  • CVE-2026-33811HigMay 7, 2026
    affected < 7.77.3-r8fixed 7.77.3-r8

    When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

  • CVE-2026-6357MedApr 27, 2026
    affected < 7.77.3-r7fixed 7.77.3-r7

    pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct

  • CVE-2026-3219MedApr 20, 2026
    affected < 7.77.3-r7fixed 7.77.3-r7

    pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior

  • CVE-2026-35469HigApr 16, 2026
    affected < 7.77.3-r4fixed 7.77.3-r4

    spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocating memory. Three allocation paths are affected: the SETTINGS frame entry count,

  • CVE-2026-40179MedApr 15, 2026
    affected < 0fixed 0

    Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into inne

  • CVE-2026-39883HigApr 8, 2026
    affected < 7.77.3-r4fixed 7.77.3-r4

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 7.77.3-r4fixed 7.77.3-r4

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-29181HigApr 7, 2026
    affected < 7.77.3-r4fixed 7.77.3-r4

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many bagg

  • CVE-2026-25645Mar 25, 2026
    affected < 7.77.3-r7fixed 7.77.3-r7

    Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid

  • CVE-2026-27141HigFeb 26, 2026
    affected < 7.77.3-r1fixed 7.77.3-r1

    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

  • CVE-2026-21441Jan 7, 2026
    affected < 7.77.3-r7fixed 7.77.3-r7

    urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression b

  • CVE-2025-67499Dec 9, 2025
    affected < 7.77.3-r12fixed 7.77.3-r12

    The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftabl

  • CVE-2025-66471Dec 5, 2025
    affected < 7.77.3-r7fixed 7.77.3-r7

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu

  • CVE-2025-66418Dec 5, 2025
    affected < 7.77.3-r7fixed 7.77.3-r7

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a

  • CVE-2025-50181Jun 19, 2025
    affected < 7.77.3-r7fixed 7.77.3-r7

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

Page 3 of 3