apk package
chainguard/dgraph
pkg:apk/chainguard/dgraph
Vulnerabilities (73)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-39326 | — | < 23.1.0-r4 | 23.1.0-r4 | Dec 6, 2023 | A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d | ||
| CVE-2023-45284 | — | < 0 | 0 | Nov 9, 2023 | On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr | ||
| CVE-2023-45283 | — | < 0 | 0 | Nov 9, 2023 | The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, | ||
| CVE-2023-39325 | — | < 23.1.0-r6 | 23.1.0-r6 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 25.3.2-r2 | 25.3.2-r2 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-3978 | — | < 23.1.0-r6 | 23.1.0-r6 | Aug 2, 2023 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | ||
| CVE-2022-31022 | — | < 0 | 0 | Jun 1, 2022 | Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (blev | ||
| CVE-2020-26160 | — | < 24.0.0-r0 | 24.0.0-r0 | Sep 30, 2020 | jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presen | ||
| CVE-2020-15136 | — | < 23.1.0-r6 | 23.1.0-r6 | Aug 6, 2020 | In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the di | ||
| CVE-2020-15114 | — | < 23.1.0-r6 | 23.1.0-r6 | Aug 6, 2020 | In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a | ||
| CVE-2020-15112 | — | < 23.1.0-r6 | 23.1.0-r6 | Aug 5, 2020 | In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go do | ||
| CVE-2020-15106 | — | < 23.1.0-r6 | 23.1.0-r6 | Aug 5, 2020 | In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that | ||
| CVE-2018-1099 | — | < 23.1.0-r6 | 23.1.0-r6 | Apr 3, 2018 | DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address). |
- CVE-2023-39326Dec 6, 2023affected < 23.1.0-r4fixed 23.1.0-r4
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d
- CVE-2023-45284Nov 9, 2023affected < 0fixed 0
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr
- CVE-2023-45283Nov 9, 2023affected < 0fixed 0
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
- CVE-2023-39325Oct 11, 2023affected < 23.1.0-r6fixed 23.1.0-r6
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 25.3.2-r2fixed 25.3.2-r2
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-3978Aug 2, 2023affected < 23.1.0-r6fixed 23.1.0-r6
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
- CVE-2022-31022Jun 1, 2022affected < 0fixed 0
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP (blev
- CVE-2020-26160Sep 30, 2020affected < 24.0.0-r0fixed 24.0.0-r0
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presen
- CVE-2020-15136Aug 6, 2020affected < 23.1.0-r6fixed 23.1.0-r6
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the di
- CVE-2020-15114Aug 6, 2020affected < 23.1.0-r6fixed 23.1.0-r6
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a
- CVE-2020-15112Aug 5, 2020affected < 23.1.0-r6fixed 23.1.0-r6
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go do
- CVE-2020-15106Aug 5, 2020affected < 23.1.0-r6fixed 23.1.0-r6
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that
- CVE-2018-1099Apr 3, 2018affected < 23.1.0-r6fixed 23.1.0-r6
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
Page 4 of 4