VYPR

apk package

chainguard/ingress-nginx-controller-compat

pkg:apk/chainguard/ingress-nginx-controller-compat

Vulnerabilities (19)

  • CVE-2024-34161May 29, 2024
    affected < 1.9.6-r4fixed 1.9.6-r4

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

  • CVE-2024-35200May 29, 2024
    affected < 1.9.6-r4fixed 1.9.6-r4

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.

  • CVE-2024-32760May 29, 2024
    affected < 1.9.6-r4fixed 1.9.6-r4

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.

  • CVE-2024-31079May 29, 2024
    affected < 1.9.6-r4fixed 1.9.6-r4

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process,

  • CVE-2024-24786HigMar 5, 2024
    affected < 1.10.0-r4fixed 1.10.0-r4

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2024-24990Feb 14, 2024
    affected < 1.9.6-r4fixed 1.9.6-r4

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC

  • CVE-2024-24989Feb 14, 2024
    affected < 1.9.6-r4fixed 1.9.6-r4

    When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC

  • CVE-2024-21626Jan 31, 2024
    affected < 1.9.6-r1fixed 1.9.6-r1

    runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h

  • CVE-2023-45284Nov 9, 2023
    affected < 0fixed 0

    On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr

  • CVE-2023-45283Nov 9, 2023
    affected < 0fixed 0

    The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,

  • CVE-2023-5044Oct 25, 2023
    affected < 0fixed 0

    Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.

  • CVE-2023-5043Oct 25, 2023
    affected < 0fixed 0

    Ingress nginx annotation injection causes arbitrary command execution.

  • CVE-2022-4886Oct 25, 2023
    affected < 0fixed 0

    Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.

  • CVE-2021-25748May 24, 2023
    affected < 0fixed 0

    A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group)

  • CVE-2022-41742Oct 19, 2022
    affected < 0fixed 0

    NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process

  • CVE-2022-41741Oct 19, 2022
    affected < 0fixed 0

    NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker m

  • CVE-2021-25745May 6, 2022
    affected < 0fixed 0

    A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controll

  • CVE-2020-8553Jul 29, 2020
    affected < 0fixed 0

    The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyph

  • CVE-2018-1002104Jan 14, 2020
    affected < 0fixed 0

    Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.