apk package
chainguard/k3d-tools
pkg:apk/chainguard/k3d-tools
Vulnerabilities (132)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-8911 | — | < 5.6.0-r11 | 5.6.0-r11 | Aug 11, 2020 | A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket a | ||
| CVE-2020-14040 | — | < 5.6.0-r11 | 5.6.0-r11 | Jun 17, 2020 | The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM o | ||
| CVE-2019-11254 | — | < 5.6.0-r11 | 5.6.0-r11 | Apr 1, 2020 | The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML. | ||
| CVE-2020-7919 | — | < 5.6.0-r11 | 5.6.0-r11 | Mar 16, 2020 | Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate. | ||
| CVE-2020-9283 | — | < 5.6.0-r11 | 5.6.0-r11 | Feb 20, 2020 | golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client. | ||
| CVE-2020-7219 | — | < 5.6.0-r11 | 5.6.0-r11 | Jan 31, 2020 | HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3. | ||
| CVE-2019-9512 | — | < 5.6.0-r11 | 5.6.0-r11 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum | ||
| CVE-2019-9514 | — | < 5.6.0-r11 | 5.6.0-r11 | Aug 13, 2019 | Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer | ||
| CVE-2019-11841 | — | < 5.6.0-r11 | 5.6.0-r11 | May 22, 2019 | A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" A | ||
| CVE-2019-11840 | Med | 5.9 | < 5.6.0-r11 | 5.6.0-r11 | May 9, 2019 | An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 G | |
| CVE-2019-9764 | — | < 5.6.0-r11 | 5.6.0-r11 | Mar 26, 2019 | HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4. | ||
| CVE-2018-19653 | — | < 5.6.0-r11 | 5.6.0-r11 | Dec 9, 2018 | HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade. |
- CVE-2020-8911Aug 11, 2020affected < 5.6.0-r11fixed 5.6.0-r11
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket a
- CVE-2020-14040Jun 17, 2020affected < 5.6.0-r11fixed 5.6.0-r11
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM o
- CVE-2019-11254Apr 1, 2020affected < 5.6.0-r11fixed 5.6.0-r11
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
- CVE-2020-7919Mar 16, 2020affected < 5.6.0-r11fixed 5.6.0-r11
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
- CVE-2020-9283Feb 20, 2020affected < 5.6.0-r11fixed 5.6.0-r11
golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.
- CVE-2020-7219Jan 31, 2020affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services allowed unbounded resource usage, and were susceptible to unauthenticated denial of service. Fixed in 1.6.3.
- CVE-2019-9512Aug 13, 2019affected < 5.6.0-r11fixed 5.6.0-r11
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum
- CVE-2019-9514Aug 13, 2019affected < 5.6.0-r11fixed 5.6.0-r11
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer
- CVE-2019-11841May 22, 2019affected < 5.6.0-r11fixed 5.6.0-r11
A message-forgery issue was discovered in crypto/openpgp/clearsign/clearsign.go in supplementary Go cryptography libraries 2019-03-25. According to the OpenPGP Message Format specification in RFC 4880 chapter 7, a cleartext signed message can contain one or more optional "Hash" A
- affected < 5.6.0-r11fixed 5.6.0-r11
An issue was discovered in the supplementary Go cryptography library, golang.org/x/crypto, before v0.0.0-20190320223903-b7391e95e576. A flaw was found in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages. If more than 256 G
- CVE-2019-9764Mar 26, 2019affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to-agent TLS communication. In other words, the product behaves as if verify_server_hostname were set to false, even when it is actually set to true. This is fixed in 1.4.4.
- CVE-2018-19653Dec 9, 2018affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent RPC communication because the verify_outgoing setting is improperly documented. NOTE: the vendor has provided reconfiguration steps that do not require a software upgrade.
Page 7 of 7