apk package
chainguard/grpcurl
pkg:apk/chainguard/grpcurl
Vulnerabilities (69)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-39325 | — | < 1.8.8-r3 | 1.8.8-r3 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.8.8-r3 | 1.8.8-r3 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-3978 | — | < 1.8.8-r3 | 1.8.8-r3 | Aug 2, 2023 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | ||
| CVE-2022-41723 | — | < 1.8.7-r7 | 1.8.7-r7 | Feb 28, 2023 | A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. | ||
| CVE-2022-32149 | — | < 1.8.7-r7 | 1.8.7-r7 | Oct 14, 2022 | An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. | ||
| CVE-2022-27664 | — | < 1.8.7-r7 | 1.8.7-r7 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2022-29526 | — | < 1.8.7-r7 | 1.8.7-r7 | Jun 22, 2022 | Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. | ||
| CVE-2021-31525 | — | < 1.8.7-r7 | 1.8.7-r7 | May 27, 2021 | net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. | ||
| CVE-2021-33194 | — | < 1.8.7-r7 | 1.8.7-r7 | May 26, 2021 | golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. |
- CVE-2023-39325Oct 11, 2023affected < 1.8.8-r3fixed 1.8.8-r3
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 1.8.8-r3fixed 1.8.8-r3
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-3978Aug 2, 2023affected < 1.8.8-r3fixed 1.8.8-r3
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
- CVE-2022-41723Feb 28, 2023affected < 1.8.7-r7fixed 1.8.7-r7
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
- CVE-2022-32149Oct 14, 2022affected < 1.8.7-r7fixed 1.8.7-r7
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
- CVE-2022-27664Sep 6, 2022affected < 1.8.7-r7fixed 1.8.7-r7
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2022-29526Jun 22, 2022affected < 1.8.7-r7fixed 1.8.7-r7
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
- CVE-2021-31525May 27, 2021affected < 1.8.7-r7fixed 1.8.7-r7
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
- CVE-2021-33194May 26, 2021affected < 1.8.7-r7fixed 1.8.7-r7
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Page 4 of 4