VYPR

apk package

chainguard/k3d

pkg:apk/chainguard/k3d

Vulnerabilities (134)

  • CVE-2022-32149HigOct 14, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

  • CVE-2022-41316MedOct 12, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Vault and Vault Enterprise’s TLS certificate auth method did not initially load the optionally configured CRL issued by the role's CA into memory on startup, resulting in the revocation list not being checked if the CRL has not yet been retrieved. Fixed in 1.12.0, 1.11.

  • CVE-2022-40716MedSep 23, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."

  • CVE-2022-27664HigSep 6, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

  • CVE-2021-43565HigSep 6, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.

  • CVE-2022-29526MedJun 23, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

  • CVE-2022-29153HigApr 19, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

  • CVE-2022-27191HigMar 18, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

  • CVE-2021-41802LowOct 8, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.

  • CVE-2021-38698MedSep 7, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

  • CVE-2021-37219HigSep 7, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.

  • CVE-2021-38554MedAug 13, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

  • CVE-2021-36213HigJul 17, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.

  • CVE-2021-32574HigJul 17, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.

  • CVE-2021-32923HigJun 3, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,

  • CVE-2021-31525MedMay 27, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

  • CVE-2021-33194HigMay 26, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

  • CVE-2020-25864MedApr 20, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

  • CVE-2021-3121HigJan 11, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

  • CVE-2020-29652HigDec 17, 2020
    affected < 5.6.0-r11fixed 5.6.0-r11

    A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

Page 6 of 7