VYPR

apk package

chainguard/harbor-2.12-exporter

pkg:apk/chainguard/harbor-2.12-exporter

Vulnerabilities (85)

  • CVE-2025-58185MedOct 29, 2025
    affected < 2.12.4-r12fixed 2.12.4-r12

    Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

  • CVE-2025-58183MedOct 29, 2025
    affected < 2.12.4-r12fixed 2.12.4-r12

    tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When r

  • CVE-2025-47912MedOct 29, 2025
    affected < 2.12.4-r12fixed 2.12.4-r12

    The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresse

  • CVE-2025-47909HigAug 29, 2025
    affected < 0fixed 0

    Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com be

  • CVE-2025-55199MedAug 14, 2025
    affected < 2.12.4-r11fixed 2.12.4-r11

    Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A work

  • CVE-2025-55198MedAug 14, 2025
    affected < 2.12.4-r11fixed 2.12.4-r11

    Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatt

  • CVE-2025-47907HigAug 7, 2025
    affected < 2.12.4-r9fixed 2.12.4-r9

    Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex

  • CVE-2025-53547HigJul 8, 2025
    affected < 2.12.4-r3fixed 2.12.4-r3

    Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lo

  • CVE-2025-4673MedJun 11, 2025
    affected < 2.12.4-r1fixed 2.12.4-r1

    Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

  • CVE-2025-22874HigJun 11, 2025
    affected < 2.12.4-r1fixed 2.12.4-r1

    Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

  • CVE-2025-24358MedApr 15, 2025
    affected < 2.12.2-r10fixed 2.12.2-r10

    gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests onl

  • CVE-2025-32387MedApr 9, 2025
    affected < 2.12.2-r10fixed 2.12.2-r10

    Helm is a package manager for Charts for Kubernetes. A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. This issue has been resolved in Helm v3.1

  • CVE-2025-32386MedApr 9, 2025
    affected < 2.12.2-r10fixed 2.12.2-r10

    Helm is a tool for managing Charts. A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to

  • CVE-2025-30223CriMar 31, 2025
    affected < 2.12.2-r9fixed 2.12.2-r9

    Beego is an open-source web framework for the Go programming language. Prior to 2.3.6, a Cross-Site Scripting (XSS) vulnerability exists in Beego's RenderForm() function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious

  • CVE-2025-30204HigMar 21, 2025
    affected < 2.12.2-r8fixed 2.12.2-r8

    golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

  • CVE-2025-22870MedMar 12, 2025
    affected < 2.12.2-r7fixed 2.12.2-r7

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-22869HigFeb 26, 2025
    affected < 2.12.2-r6fixed 2.12.2-r6

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-22868HigFeb 26, 2025
    affected < 2.12.2-r5fixed 2.12.2-r5

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 2.12.2-r4fixed 2.12.2-r4

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2025-24976MedFeb 11, 2025
    affected < 2.12.4-r43fixed 2.12.4-r43

    Distribution is a toolkit to pack, ship, store, and deliver container content. Systems running registry versions 3.0.0-beta.1 through 3.0.0-rc.2 with token authentication enabled may be vulnerable to an issue in which token authentication allows an attacker to inject an untrusted

Page 4 of 5