apk package
chainguard/envoy-gateway-1.5-egctl
pkg:apk/chainguard/envoy-gateway-1.5-egctl
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-50162 | mod | 5.3 | < 1.5.9-r1 | 1.5.9-r1 | Jul 1, 2026 | oras-go: oras-go: File store write outside working directory via symlink traversal | |
| CVE-2026-50151 | mod | 5.9 | < 1.5.9-r1 | 1.5.9-r1 | Jul 1, 2026 | oras-go: oras-go: Credential forwarding via unvalidated Location header during blob upload | |
| CVE-2026-48978 | low | 3.1 | < 1.5.9-r1 | 1.5.9-r1 | Jul 1, 2026 | oras-go: oras-go: Information disclosure and TLS downgrade via malicious registry realm | |
| CVE-2026-53488 | hig | — | < 1.5.9-r2 | 1.5.9-r2 | Jun 19, 2026 | ### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels f | |
| CVE-2026-47262 | — | < 1.5.9-r2 | 1.5.9-r2 | Jun 19, 2026 | ### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the contai | ||
| CVE-2026-42306 | Hig | 7.2 | < 1.8.2-r0 | 1.8.2-r0 | Jun 12, 2026 | Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount targe | |
| CVE-2026-41568 | Med | 6.1 | < 1.8.2-r0 | 1.8.2-r0 | Jun 12, 2026 | Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or direc | |
| CVE-2026-41567 | Hig | 7.2 | < 1.8.2-r0 | 1.8.2-r0 | Jun 5, 2026 | Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries | |
| CVE-2026-41178 | Med | 5.3 | < 1.8.2-r0 | 1.8.2-r0 | Jun 4, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss | |
| CVE-2026-34040 | Hig | 8.8 | < 1.8.2-r0 | 1.8.2-r0 | Mar 31, 2026 | Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1. | |
| CVE-2026-33997 | Med | 6.8 | < 1.8.2-r0 | 1.8.2-r0 | Mar 31, 2026 | Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre | |
| CVE-2025-15558 | — | < 0 | 0 | Mar 4, 2026 | Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are | ||
| CVE-2026-26958 | Low | — | < 1.8.2-r0 | 1.8.2-r0 | Feb 19, 2026 | filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin |
- affected < 1.5.9-r1fixed 1.5.9-r1
oras-go: oras-go: File store write outside working directory via symlink traversal
- affected < 1.5.9-r1fixed 1.5.9-r1
oras-go: oras-go: Credential forwarding via unvalidated Location header during blob upload
- affected < 1.5.9-r1fixed 1.5.9-r1
oras-go: oras-go: Information disclosure and TLS downgrade via malicious registry realm
- affected < 1.5.9-r2fixed 1.5.9-r2
### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels f
- CVE-2026-47262Jun 19, 2026affected < 1.5.9-r2fixed 1.5.9-r2
### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the contai
- affected < 1.8.2-r0fixed 1.8.2-r0
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount targe
- affected < 1.8.2-r0fixed 1.8.2-r0
Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to create empty files or direc
- affected < 1.8.2-r0fixed 1.8.2-r0
Moby is an open source container framework. In versions prior to 29.5.1 and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive is uploaded to a container via `PUT /containers/{id}/archive` or piped through `docker cp -`, the daemon resolves decompression binaries
- affected < 1.8.2-r0fixed 1.8.2-r0
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss
- affected < 1.8.2-r0fixed 1.8.2-r0
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
- affected < 1.8.2-r0fixed 1.8.2-r0
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre
- CVE-2025-15558Mar 4, 2026affected < 0fixed 0
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are
- affected < 1.8.2-r0fixed 1.8.2-r0
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin