apk package

chainguard/ingress-nginx-controller-fips-compat

pkg:apk/chainguard/ingress-nginx-controller-fips-compat

Vulnerabilities (15)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-34161		—	< 1.10.1-r5	1.10.1-r5	May 29, 2024	When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
CVE-2024-35200		—	< 1.10.1-r5	1.10.1-r5	May 29, 2024	When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.
CVE-2024-32760		—	< 1.10.1-r5	1.10.1-r5	May 29, 2024	When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
CVE-2024-31079		—	< 1.10.1-r5	1.10.1-r5	May 29, 2024	When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process,
CVE-2024-24786	Hig	7.5	< 1.10.0-r2	1.10.0-r2	Mar 5, 2024	The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24990		—	< 1.10.1-r5	1.10.1-r5	Feb 14, 2024	When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
CVE-2024-24989		—	< 1.10.1-r5	1.10.1-r5	Feb 14, 2024	When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
CVE-2024-21626		—	< 1.9.5-r1	1.9.5-r1	Jan 31, 2024	runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h
CVE-2023-5044		—	< 0	0	Oct 25, 2023	Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
CVE-2023-5043		—	< 0	0	Oct 25, 2023	Ingress nginx annotation injection causes arbitrary command execution.
CVE-2022-4886		—	< 0	0	Oct 25, 2023	Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.
CVE-2021-25748		—	< 0	0	May 24, 2023	A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group)
CVE-2021-25745		—	< 0	0	May 6, 2022	A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controll
CVE-2020-8553		—	< 0	0	Jul 29, 2020	The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyph
CVE-2018-1002104		—	< 0	0	Jan 14, 2020	Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.

CVE-2024-34161May 29, 2024
affected < 1.10.1-r5fixed 1.10.1-r5
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
CVE-2024-35200May 29, 2024
affected < 1.10.1-r5fixed 1.10.1-r5
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.
CVE-2024-32760May 29, 2024
affected < 1.10.1-r5fixed 1.10.1-r5
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
CVE-2024-31079May 29, 2024
affected < 1.10.1-r5fixed 1.10.1-r5
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process,
CVE-2024-24786HigMar 5, 2024
affected < 1.10.0-r2fixed 1.10.0-r2
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24990Feb 14, 2024
affected < 1.10.1-r5fixed 1.10.1-r5
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
CVE-2024-24989Feb 14, 2024
affected < 1.10.1-r5fixed 1.10.1-r5
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
CVE-2024-21626Jan 31, 2024
affected < 1.9.5-r1fixed 1.9.5-r1
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h
CVE-2023-5044Oct 25, 2023
affected < 0fixed 0
Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
CVE-2023-5043Oct 25, 2023
affected < 0fixed 0
Ingress nginx annotation injection causes arbitrary command execution.
CVE-2022-4886Oct 25, 2023
affected < 0fixed 0
Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.
CVE-2021-25748May 24, 2023
affected < 0fixed 0
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group)
CVE-2021-25745May 6, 2022
affected < 0fixed 0
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controll
CVE-2020-8553Jul 29, 2020
affected < 0fixed 0
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyph
CVE-2018-1002104Jan 14, 2020
affected < 0fixed 0
Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.