apk package
chainguard/kube-webhook-certgen-1.9
pkg:apk/chainguard/kube-webhook-certgen-1.9
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-34161 | — | < 1.9.6-r4 | 1.9.6-r4 | May 29, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory. | ||
| CVE-2024-35200 | — | < 1.9.6-r4 | 1.9.6-r4 | May 29, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate. | ||
| CVE-2024-32760 | — | < 1.9.6-r4 | 1.9.6-r4 | May 29, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact. | ||
| CVE-2024-31079 | — | < 1.9.6-r4 | 1.9.6-r4 | May 29, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, | ||
| CVE-2024-24990 | — | < 1.9.6-r4 | 1.9.6-r4 | Feb 14, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC | ||
| CVE-2024-24989 | — | < 1.9.6-r4 | 1.9.6-r4 | Feb 14, 2024 | When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC | ||
| CVE-2023-5044 | — | < 0 | 0 | Oct 25, 2023 | Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. | ||
| CVE-2023-5043 | — | < 0 | 0 | Oct 25, 2023 | Ingress nginx annotation injection causes arbitrary command execution. | ||
| CVE-2022-4886 | — | < 0 | 0 | Oct 25, 2023 | Ingress-nginx `path` sanitization can be bypassed with `log_format` directive. | ||
| CVE-2021-25748 | — | < 0 | 0 | May 24, 2023 | A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) | ||
| CVE-2021-25745 | — | < 0 | 0 | May 6, 2022 | A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controll | ||
| CVE-2020-8553 | — | < 0 | 0 | Jul 29, 2020 | The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyph | ||
| CVE-2018-1002104 | — | < 0 | 0 | Jan 14, 2020 | Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly. |
- CVE-2024-34161May 29, 2024affected < 1.9.6-r4fixed 1.9.6-r4
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
- CVE-2024-35200May 29, 2024affected < 1.9.6-r4fixed 1.9.6-r4
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.
- CVE-2024-32760May 29, 2024affected < 1.9.6-r4fixed 1.9.6-r4
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.
- CVE-2024-31079May 29, 2024affected < 1.9.6-r4fixed 1.9.6-r4
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process,
- CVE-2024-24990Feb 14, 2024affected < 1.9.6-r4fixed 1.9.6-r4
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
- CVE-2024-24989Feb 14, 2024affected < 1.9.6-r4fixed 1.9.6-r4
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC
- CVE-2023-5044Oct 25, 2023affected < 0fixed 0
Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
- CVE-2023-5043Oct 25, 2023affected < 0fixed 0
Ingress nginx annotation injection causes arbitrary command execution.
- CVE-2022-4886Oct 25, 2023affected < 0fixed 0
Ingress-nginx `path` sanitization can be bypassed with `log_format` directive.
- CVE-2021-25748May 24, 2023affected < 0fixed 0
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group)
- CVE-2021-25745May 6, 2022affected < 0fixed 0
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controll
- CVE-2020-8553Jul 29, 2020affected < 0fixed 0
The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyph
- CVE-2018-1002104Jan 14, 2020affected < 0fixed 0
Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.