VYPR

apk package

chainguard/k3s

pkg:apk/chainguard/k3s

Vulnerabilities (120)

  • CVE-2025-46599MedApr 25, 2025
    affected < 1.32.4.1-r0fixed 1.32.4.1-r0

    CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this por

  • CVE-2025-22871CriApr 8, 2025
    affected < 1.32.3.1-r1fixed 1.32.3.1-r1

    The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

  • CVE-2025-30204HigMar 21, 2025
    affected < 1.32.2.1-r34fixed 1.32.2.1-r34

    golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

  • CVE-2025-22868Feb 26, 2025
    affected < 1.32.2.1-r31fixed 1.32.2.1-r31

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 1.32.4.1-r1fixed 1.32.4.1-r1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 1.32.1.1-r2fixed 1.32.1.1-r2

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2025-22866MedFeb 6, 2025
    affected < 1.32.1.1-r1fixed 1.32.1.1-r1

    Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover

  • CVE-2024-45338MedDec 18, 2024
    affected < 1.31.4.1-r2fixed 1.31.4.1-r2

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-45337CriDec 12, 2024
    affected < 1.32.4.1-r1fixed 1.32.4.1-r1

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

  • CVE-2024-53259MedDec 2, 2024
    affected < 1.31.3.1-r0fixed 1.31.3.1-r0

    quic-go is an implementation of the QUIC protocol in Go. An off-path attacker can inject an ICMP Packet Too Large packet. Since affected quic-go versions used IP_PMTUDISC_DO, the kernel would then return a "message too large" error on sendmsg, i.e. when quic-go attempts to send a

  • CVE-2024-36623Nov 29, 2024
    affected < 0fixed 0

    moby through v25.0.3 has a Race Condition vulnerability in the streamformatter package which can be used to trigger multiple concurrent write operations resulting in data corruption or application crashes.

  • CVE-2024-51744LowNov 4, 2024
    affected < 1.31.2.1-r3fixed 1.31.2.1-r3

    golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r

  • CVE-2023-26248MedOct 25, 2024
    affected < 0fixed 0

    The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers whose peer IDs have a small DHT distance from the content ID. This allows an att

  • CVE-2024-34158HigSep 6, 2024
    affected < 1.30.4.1-r1fixed 1.30.4.1-r1

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

  • CVE-2024-34156HigSep 6, 2024
    affected < 1.30.4.1-r1fixed 1.30.4.1-r1

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2024-34155MedSep 6, 2024
    affected < 1.30.4.1-r1fixed 1.30.4.1-r1

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

  • CVE-2024-45310Sep 3, 2024
    affected < 1.31.0.1-r1fixed 1.31.0.1-r1

    runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between

  • CVE-2024-41110CriJul 24, 2024
    affected < 1.30.3.1-r0fixed 1.30.3.1-r0

    Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood

  • CVE-2024-24791HigJul 2, 2024
    affected < 1.30.2-r1fixed 1.30.2-r1

    The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co

  • CVE-2024-6104Jun 24, 2024
    affected < 1.30.1-r2fixed 1.30.1-r2

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

Page 5 of 6