apk package
chainguard/grype-fips
pkg:apk/chainguard/grype-fips
Vulnerabilities (67)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58058 | Med | 5.3 | < 0.99.0-r1 | 0.99.0-r1 | Aug 28, 2025 | xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the | |
| CVE-2025-8959 | — | < 0.98.0-r1 | 0.98.0-r1 | Aug 15, 2025 | HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9. | ||
| CVE-2025-54388 | — | < 0.96.1-r1 | 0.96.1-r1 | Jul 30, 2025 | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables | ||
| CVE-2025-22871 | Cri | 9.1 | < 0.91.0-r1 | 0.91.0-r1 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2024-40635 | — | < 0.90.0-r1 | 0.90.0-r1 | Mar 17, 2025 | containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult | ||
| CVE-2025-22868 | — | < 0.89.0-r1 | 0.89.0-r1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22869 | — | < 0.89.0-r0 | 0.89.0-r0 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. |
- affected < 0.99.0-r1fixed 0.99.0-r1
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the
- CVE-2025-8959Aug 15, 2025affected < 0.98.0-r1fixed 0.98.0-r1
HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.
- CVE-2025-54388Jul 30, 2025affected < 0.96.1-r1fixed 0.96.1-r1
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables
- affected < 0.91.0-r1fixed 0.91.0-r1
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- CVE-2024-40635Mar 17, 2025affected < 0.90.0-r1fixed 0.90.0-r1
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult
- CVE-2025-22868Feb 26, 2025affected < 0.89.0-r1fixed 0.89.0-r1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2025-22869Feb 26, 2025affected < 0.89.0-r0fixed 0.89.0-r0
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
Page 4 of 4