VYPR

apk package

chainguard/dex-k8s-authenticator

pkg:apk/chainguard/dex-k8s-authenticator

Vulnerabilities (97)

  • CVE-2023-45289MedMar 5, 2024
    affected < 1.4.0-r7fixed 1.4.0-r7

    When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati

  • CVE-2023-48795MedDec 18, 2023
    affected < 1.4.0-r6fixed 1.4.0-r6

    The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end

  • CVE-2023-39325Oct 11, 2023
    affected < 1.4.0-r4fixed 1.4.0-r4

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack

  • CVE-2023-3978Aug 2, 2023
    affected < 1.4.0-r4fixed 1.4.0-r4

    Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

  • CVE-2021-38561Dec 26, 2022
    affected < 0fixed 0

    golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

  • CVE-2022-32149Oct 14, 2022
    affected < 0fixed 0

    An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

  • CVE-2021-43565Sep 6, 2022
    affected < 0fixed 0

    The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.

  • CVE-2022-29526Jun 22, 2022
    affected < 0fixed 0

    Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

  • CVE-2022-27191Mar 18, 2022
    affected < 0fixed 0

    The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

  • CVE-2020-28852Jan 2, 2021
    affected < 1.4.0-r33fixed 1.4.0-r33

    In x/text in Go before v0.3.5, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)

  • CVE-2020-29652Dec 17, 2020
    affected < 0fixed 0

    A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

  • CVE-2020-14040Jun 17, 2020
    affected < 0fixed 0

    The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM o

  • CVE-2019-11254Apr 1, 2020
    affected < 1.4.0-r36fixed 1.4.0-r36

    The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

  • CVE-2020-7919Mar 16, 2020
    affected < 1.4.0-r35fixed 1.4.0-r35

    Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

  • CVE-2020-9283Feb 20, 2020
    affected < 0fixed 0

    golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.

  • CVE-2019-11841May 22, 2019
    affected < 0fixed 0

    A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" A

  • CVE-2019-11840MedMay 9, 2019
    affected < 0fixed 0

    An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 G

Page 5 of 5