VYPR

apk package

chainguard/go-1.20

pkg:apk/chainguard/go-1.20

Vulnerabilities (17)

  • CVE-2025-0913Jun 11, 2025
    affected < 1.20.14-r9fixed 1.20.14-r9

    os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent loca

  • CVE-2025-22874HigJun 11, 2025
    affected < 1.20.14-r9fixed 1.20.14-r9

    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

  • CVE-2023-45283Nov 9, 2023
    affected < 1.20.12-r0fixed 1.20.12-r0

    The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,

  • CVE-2023-39325Oct 11, 2023
    affected < 1.20.10-r0fixed 1.20.10-r0

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack

  • CVE-2023-29409Aug 2, 2023
    affected < 1.20.7-r0fixed 1.20.7-r0

    Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are curr

  • CVE-2023-29406Jul 11, 2023
    affected < 1.20.6-r0fixed 1.20.6-r0

    The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

  • CVE-2023-24539May 11, 2023
    affected < 1.20.4-r0fixed 1.20.4-r0

    Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untru

  • CVE-2023-24540May 11, 2023
    affected < 1.20.4-r0fixed 1.20.4-r0

    Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

  • CVE-2023-29400May 11, 2023
    affected < 1.20.4-r0fixed 1.20.4-r0

    Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

  • CVE-2023-24537Apr 6, 2023
    affected < 1.20.3-r1fixed 1.20.3-r1

    Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.

  • CVE-2023-24538Apr 6, 2023
    affected < 1.20.3-r1fixed 1.20.3-r1

    Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the act

  • CVE-2023-24534Apr 6, 2023
    affected < 1.20.3-r1fixed 1.20.3-r1

    HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more m

  • CVE-2023-24536Apr 6, 2023
    affected < 1.20.3-r1fixed 1.20.3-r1

    Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can under

  • CVE-2023-24532Mar 8, 2023
    affected < 1.20.2-r0fixed 1.20.2-r0

    The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.

  • CVE-2022-41723Feb 28, 2023
    affected < 1.20.1-r1fixed 1.20.1-r1

    A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

  • CVE-2020-29509Dec 14, 2020
    affected < 0fixed 0

    The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected down

  • CVE-2020-29511Dec 14, 2020
    affected < 0fixed 0

    The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downst