apk package
chainguard/kubeflow-notebook-controller-fips
pkg:apk/chainguard/kubeflow-notebook-controller-fips
Vulnerabilities (53)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-39325 | — | < 1.10.0-r2 | 1.10.0-r2 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.10.0-r16 | 1.10.0-r16 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-3978 | — | < 1.10.0-r2 | 1.10.0-r2 | Aug 2, 2023 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | ||
| CVE-2022-41723 | — | < 1.10.0-r2 | 1.10.0-r2 | Feb 28, 2023 | A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. | ||
| CVE-2022-41717 | — | < 1.10.0-r2 | 1.10.0-r2 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-32149 | — | < 1.10.0-r2 | 1.10.0-r2 | Oct 14, 2022 | An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. | ||
| CVE-2022-27664 | — | < 1.10.0-r2 | 1.10.0-r2 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2021-43565 | — | < 1.10.0-r2 | 1.10.0-r2 | Sep 6, 2022 | The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. | ||
| CVE-2022-29526 | — | < 0 | 0 | Jun 22, 2022 | Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. | ||
| CVE-2022-1996 | — | < 1.10.0-r2 | 1.10.0-r2 | Jun 6, 2022 | Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0. | ||
| CVE-2022-28948 | — | < 1.10.0-r2 | 1.10.0-r2 | May 19, 2022 | An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. | ||
| CVE-2022-27191 | — | < 1.10.0-r2 | 1.10.0-r2 | Mar 18, 2022 | The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. | ||
| CVE-2021-3121 | — | < 1.10.0-r2 | 1.10.0-r2 | Jan 11, 2021 | An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. |
- CVE-2023-39325Oct 11, 2023affected < 1.10.0-r2fixed 1.10.0-r2
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 1.10.0-r16fixed 1.10.0-r16
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-3978Aug 2, 2023affected < 1.10.0-r2fixed 1.10.0-r2
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
- CVE-2022-41723Feb 28, 2023affected < 1.10.0-r2fixed 1.10.0-r2
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
- CVE-2022-41717Dec 8, 2022affected < 1.10.0-r2fixed 1.10.0-r2
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-32149Oct 14, 2022affected < 1.10.0-r2fixed 1.10.0-r2
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
- CVE-2022-27664Sep 6, 2022affected < 1.10.0-r2fixed 1.10.0-r2
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2021-43565Sep 6, 2022affected < 1.10.0-r2fixed 1.10.0-r2
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
- CVE-2022-29526Jun 22, 2022affected < 0fixed 0
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
- CVE-2022-1996Jun 6, 2022affected < 1.10.0-r2fixed 1.10.0-r2
Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.
- CVE-2022-28948May 19, 2022affected < 1.10.0-r2fixed 1.10.0-r2
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
- CVE-2022-27191Mar 18, 2022affected < 1.10.0-r2fixed 1.10.0-r2
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
- CVE-2021-3121Jan 11, 2021affected < 1.10.0-r2fixed 1.10.0-r2
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Page 3 of 3