apk package
chainguard/ingress-nginx-controller-fips-1.9
pkg:apk/chainguard/ingress-nginx-controller-fips-1.9
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-24791 | Hig | 7.5 | < 1.9.6-r6 | 1.9.6-r6 | Jul 2, 2024 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co | |
| CVE-2024-24789 | — | < 1.9.6-r5 | 1.9.6-r5 | Jun 5, 2024 | The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac | ||
| CVE-2024-24790 | — | < 1.9.6-r5 | 1.9.6-r5 | Jun 5, 2024 | The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. | ||
| CVE-2024-34161 | — | < 1.9.6-r6 | 1.9.6-r6 | May 29, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory. | ||
| CVE-2024-35200 | — | < 1.9.6-r6 | 1.9.6-r6 | May 29, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate. | ||
| CVE-2024-32760 | — | < 1.9.6-r6 | 1.9.6-r6 | May 29, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact. | ||
| CVE-2024-31079 | — | < 1.9.6-r6 | 1.9.6-r6 | May 29, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, | ||
| CVE-2024-3154 | Hig | 7.2 | < 1.9.6-r1 | 1.9.6-r1 | Apr 26, 2024 | A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. | |
| CVE-2024-24990 | — | < 1.9.6-r6 | 1.9.6-r6 | Feb 14, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC | ||
| CVE-2024-24989 | — | < 1.9.6-r6 | 1.9.6-r6 | Feb 14, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC | ||
| CVE-2023-5044 | — | < 0 | 0 | Oct 25, 2023 | Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. | ||
| CVE-2023-5043 | — | < 0 | 0 | Oct 25, 2023 | Ingress nginx annotation injection causes arbitrary command execution. | ||
| CVE-2022-4886 | — | < 0 | 0 | Oct 25, 2023 | Ingress-nginx `path` sanitization can be bypassed with `log_format` directive. | ||
| CVE-2021-25748 | — | < 0 | 0 | May 24, 2023 | A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) | ||
| CVE-2021-25745 | — | < 0 | 0 | May 6, 2022 | A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controll | ||
| CVE-2020-8553 | — | < 0 | 0 | Jul 29, 2020 | The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyph | ||
| CVE-2018-1002104 | — | < 0 | 0 | Jan 14, 2020 | Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly. |
- affected < 1.9.6-r6fixed 1.9.6-r6
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
- CVE-2024-24789Jun 5, 2024affected < 1.9.6-r5fixed 1.9.6-r5
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac
- CVE-2024-24790Jun 5, 2024affected < 1.9.6-r5fixed 1.9.6-r5
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
- CVE-2024-34161May 29, 2024affected < 1.9.6-r6fixed 1.9.6-r6
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
- CVE-2024-35200May 29, 2024affected < 1.9.6-r6fixed 1.9.6-r6
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.
- CVE-2024-32760May 29, 2024affected < 1.9.6-r6fixed 1.9.6-r6
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
- CVE-2024-31079May 29, 2024affected < 1.9.6-r6fixed 1.9.6-r6
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process,
- affected < 1.9.6-r1fixed 1.9.6-r1
A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.
- CVE-2024-24990Feb 14, 2024affected < 1.9.6-r6fixed 1.9.6-r6
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
- CVE-2024-24989Feb 14, 2024affected < 1.9.6-r6fixed 1.9.6-r6
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
- CVE-2023-5044Oct 25, 2023affected < 0fixed 0
Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
- CVE-2023-5043Oct 25, 2023affected < 0fixed 0
Ingress nginx annotation injection causes arbitrary command execution.
- CVE-2022-4886Oct 25, 2023affected < 0fixed 0
Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.
- CVE-2021-25748May 24, 2023affected < 0fixed 0
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group)
- CVE-2021-25745May 6, 2022affected < 0fixed 0
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controll
- CVE-2020-8553Jul 29, 2020affected < 0fixed 0
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyph
- CVE-2018-1002104Jan 14, 2020affected < 0fixed 0
Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.