apk package

chainguard/kube-apiserver-1.29-default

pkg:apk/chainguard/kube-apiserver-1.29-default

Vulnerabilities (40)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-24787	Med	6.4	< 1.29.4-r1	1.29.4-r1	May 8, 2024	On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
CVE-2024-3177	Low	2.7	< 1.29.4-r0	1.29.4-r0	Apr 22, 2024	A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. T
CVE-2023-45288	Hig	7.5	< 1.29.3-r2	1.29.3-r2	Apr 4, 2024	An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-28180		—	< 0	0	Mar 9, 2024	Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
CVE-2024-24786	Hig	7.5	< 1.29.3-r0	1.29.3-r0	Mar 5, 2024	The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24785	Med	5.4	< 1.29.2-r1	1.29.2-r1	Mar 5, 2024	If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
CVE-2024-24784	Hig	7.5	< 1.29.2-r1	1.29.2-r1	Mar 5, 2024	The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
CVE-2024-24783	Med	5.9	< 1.29.2-r1	1.29.2-r1	Mar 5, 2024	Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
CVE-2023-45290	Med	6.5	< 1.29.2-r1	1.29.2-r1	Mar 5, 2024	When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
CVE-2023-45289	Med	4.3	< 1.29.2-r1	1.29.2-r1	Mar 5, 2024	When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
CVE-2024-21626		—	< 1.29.3-r1	1.29.3-r1	Jan 31, 2024	runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h
CVE-2023-48795	Med	5.9	< 1.29.3-r1	1.29.3-r1	Dec 18, 2023	The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
CVE-2023-47108		—	< 1.29.3-r1	1.29.3-r1	Nov 10, 2023	OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality.
CVE-2023-45142		—	< 1.29.3-r1	1.29.3-r1	Oct 12, 2023	OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests
CVE-2021-25740		—	< 0	0	Sep 20, 2021	A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.
CVE-2020-8554		—	< 0	0	Jan 21, 2021	Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and
CVE-2016-7075		—	< 0	0	Sep 10, 2018	It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.
CVE-2015-7561	Low	3.1	< 0	0	Aug 7, 2017	Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.
CVE-2016-1906	Cri	9.8	< 0	0	Feb 3, 2016	Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.
CVE-2016-1905	Hig	7.7	< 0	0	Feb 3, 2016	The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.

CVE-2024-24787MedMay 8, 2024
affected < 1.29.4-r1fixed 1.29.4-r1
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
CVE-2024-3177LowApr 22, 2024
affected < 1.29.4-r0fixed 1.29.4-r0
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. T
CVE-2023-45288HigApr 4, 2024
affected < 1.29.3-r2fixed 1.29.3-r2
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-28180Mar 9, 2024
affected < 0fixed 0
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
CVE-2024-24786HigMar 5, 2024
affected < 1.29.3-r0fixed 1.29.3-r0
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24785MedMar 5, 2024
affected < 1.29.2-r1fixed 1.29.2-r1
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
CVE-2024-24784HigMar 5, 2024
affected < 1.29.2-r1fixed 1.29.2-r1
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
CVE-2024-24783MedMar 5, 2024
affected < 1.29.2-r1fixed 1.29.2-r1
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
CVE-2023-45290MedMar 5, 2024
affected < 1.29.2-r1fixed 1.29.2-r1
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
CVE-2023-45289MedMar 5, 2024
affected < 1.29.2-r1fixed 1.29.2-r1
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
CVE-2024-21626Jan 31, 2024
affected < 1.29.3-r1fixed 1.29.3-r1
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h
CVE-2023-48795MedDec 18, 2023
affected < 1.29.3-r1fixed 1.29.3-r1
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
CVE-2023-47108Nov 10, 2023
affected < 1.29.3-r1fixed 1.29.3-r1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality.
CVE-2023-45142Oct 12, 2023
affected < 1.29.3-r1fixed 1.29.3-r1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests
CVE-2021-25740Sep 20, 2021
affected < 0fixed 0
A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.
CVE-2020-8554Jan 21, 2021
affected < 0fixed 0
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and
CVE-2016-7075Sep 10, 2018
affected < 0fixed 0
It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.
CVE-2015-7561LowAug 7, 2017
affected < 0fixed 0
Kubernetes in OpenShift3 allows remote authenticated users to use the private images of other users should they know the name of said image.
CVE-2016-1906CriFeb 3, 2016
affected < 0fixed 0
Openshift allows remote attackers to gain privileges by updating a build configuration that was created with an allowed type to a type that is not allowed.
CVE-2016-1905HigFeb 3, 2016
affected < 0fixed 0
The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object.

Page 2 of 2