apk package

chainguard/dynamic-localpv-provisioner-fips

pkg:apk/chainguard/dynamic-localpv-provisioner-fips

Vulnerabilities (78)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2024-24783	Med	5.9		< 3.5.0-r1	3.5.0-r1	Mar 5, 2024	Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
CVE-2023-45290	Med	6.5		< 3.5.0-r1	3.5.0-r1	Mar 5, 2024	When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
CVE-2023-45289	Med	4.3		< 3.5.0-r1	3.5.0-r1	Mar 5, 2024	When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
CVE-2023-48795	Med	5.9		< 3.5.0-r0	3.5.0-r0	Dec 18, 2023	The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
CVE-2023-39325		—		< 3.5.0-r0	3.5.0-r0	Oct 11, 2023	A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
CVE-2023-44487	Hig	7.5	KEV	< 3.5.0-r0	3.5.0-r0	Oct 10, 2023	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-3978		—		< 3.5.0-r0	3.5.0-r0	Aug 2, 2023	Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
CVE-2022-41723		—		< 3.5.0-r0	3.5.0-r0	Feb 28, 2023	A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVE-2021-4238		—		< 3.5.0-r0	3.5.0-r0	Dec 27, 2022	Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strin
CVE-2021-38561		—		< 3.5.0-r0	3.5.0-r0	Dec 26, 2022	golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
CVE-2022-32149		—		< 3.5.0-r0	3.5.0-r0	Oct 14, 2022	An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
CVE-2022-27664		—		< 3.5.0-r0	3.5.0-r0	Sep 6, 2022	In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2021-43565		—		< 3.5.0-r0	3.5.0-r0	Sep 6, 2022	The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
CVE-2022-29526		—		< 3.5.0-r0	3.5.0-r0	Jun 22, 2022	Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
CVE-2022-28948		—		< 3.5.0-r0	3.5.0-r0	May 19, 2022	An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
CVE-2022-27191		—		< 3.5.0-r0	3.5.0-r0	Mar 18, 2022	The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
CVE-2022-21698		—		< 3.5.0-r0	3.5.0-r0	Feb 15, 2022	client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde
CVE-2020-8559		—		< 4.2.0-r4	4.2.0-r4	Jul 22, 2020	The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

CVE-2024-24783MedMar 5, 2024
affected < 3.5.0-r1fixed 3.5.0-r1
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
CVE-2023-45290MedMar 5, 2024
affected < 3.5.0-r1fixed 3.5.0-r1
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
CVE-2023-45289MedMar 5, 2024
affected < 3.5.0-r1fixed 3.5.0-r1
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
CVE-2023-48795MedDec 18, 2023
affected < 3.5.0-r0fixed 3.5.0-r0
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
CVE-2023-39325Oct 11, 2023
affected < 3.5.0-r0fixed 3.5.0-r0
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
CVE-2023-44487HigKEVOct 10, 2023
affected < 3.5.0-r0fixed 3.5.0-r0
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-3978Aug 2, 2023
affected < 3.5.0-r0fixed 3.5.0-r0
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
CVE-2022-41723Feb 28, 2023
affected < 3.5.0-r0fixed 3.5.0-r0
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
CVE-2021-4238Dec 27, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strin
CVE-2021-38561Dec 26, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
CVE-2022-32149Oct 14, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
CVE-2022-27664Sep 6, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
CVE-2021-43565Sep 6, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
CVE-2022-29526Jun 22, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
CVE-2022-28948May 19, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
CVE-2022-27191Mar 18, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
CVE-2022-21698Feb 15, 2022
affected < 3.5.0-r0fixed 3.5.0-r0
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde
CVE-2020-8559Jul 22, 2020
affected < 4.2.0-r4fixed 4.2.0-r4
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Page 4 of 4