apk package

chainguard/kyverno-cli

pkg:apk/chainguard/kyverno-cli

Vulnerabilities (22)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-6104		—	< 1.12.4-r1	1.12.4-r1	Jun 24, 2024	go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
CVE-2024-35255		—	< 1.12.3-r2	1.12.3-r2	Jun 11, 2024	Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
CVE-2024-24788	Med	5.9	< 1.12.1-r2	1.12.1-r2	May 8, 2024	A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
CVE-2024-24787	Med	6.4	< 1.12.1-r2	1.12.1-r2	May 8, 2024	On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
CVE-2023-45288	Hig	7.5	< 1.11.4-r10	1.11.4-r10	Apr 4, 2024	An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-29018		—	< 0	0	Mar 20, 2024	Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be define
CVE-2024-28122		—	< 1.11.4-r6	1.11.4-r6	Mar 9, 2024	JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exc
CVE-2024-24786	Hig	7.5	< 1.11.4-r7	1.11.4-r7	Mar 5, 2024	The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24557		—	< 1.11.4-r8	1.11.4-r8	Feb 1, 2024	Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause
CVE-2024-21664		—	< 1.11.4-r1	1.11.4-r1	Jan 9, 2024	jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability
CVE-2023-49290		—	< 1.11.4-r1	1.11.4-r1	Dec 4, 2023	lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header
CVE-2023-47630		—	< 0	0	Nov 14, 2023	Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The at
CVE-2023-47108		—	< 1.11.0-r1	1.11.0-r1	Nov 10, 2023	OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality.
CVE-2023-45284		—	< 0	0	Nov 9, 2023	On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr
CVE-2023-45283		—	< 0	0	Nov 9, 2023	The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
CVE-2023-39325		—	< 1.10.3-r6	1.10.3-r6	Oct 11, 2023	A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
CVE-2023-3978		—	< 1.10.3-r6	1.10.3-r6	Aug 2, 2023	Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
CVE-2023-33959		—	< 1.11.0-r1	1.11.0-r1	Jun 6, 2023	notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-r
CVE-2023-34091		—	< 0	0	Jun 1, 2023	Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `En
CVE-2023-33199		—	< 0	0	May 26, 2023	Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client re

CVE-2024-6104Jun 24, 2024
affected < 1.12.4-r1fixed 1.12.4-r1
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.
CVE-2024-35255Jun 11, 2024
affected < 1.12.3-r2fixed 1.12.3-r2
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
CVE-2024-24788MedMay 8, 2024
affected < 1.12.1-r2fixed 1.12.1-r2
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
CVE-2024-24787MedMay 8, 2024
affected < 1.12.1-r2fixed 1.12.1-r2
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
CVE-2023-45288HigApr 4, 2024
affected < 1.11.4-r10fixed 1.11.4-r10
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-29018Mar 20, 2024
affected < 0fixed 0
Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be define
CVE-2024-28122Mar 9, 2024
affected < 1.11.4-r6fixed 1.11.4-r6
JWX is Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. This vulnerability allows an attacker with a trusted public key to cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exc
CVE-2024-24786HigMar 5, 2024
affected < 1.11.4-r7fixed 1.11.4-r7
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24557Feb 1, 2024
affected < 1.11.4-r8fixed 1.11.4-r8
Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause
CVE-2024-21664Jan 9, 2024
affected < 1.11.4-r1fixed 1.11.4-r1
jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. Calling `jws.Parse` with a JSON serialized payload where the `signature` field is present while `protected` is absent can lead to a nil pointer dereference. The vulnerability
CVE-2023-49290Dec 4, 2023
affected < 1.11.4-r1fixed 1.11.4-r1
lestrrat-go/jwx is a Go module implementing various JWx (JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE) technologies. A p2c parameter set too high in JWE's algorithm PBES2-* could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header
CVE-2023-47630Nov 14, 2023
affected < 0fixed 0
Kyverno is a policy engine designed for Kubernetes. An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue would require the attacker to compromise the registry that the Kyverno users fetch their images from. The at
CVE-2023-47108Nov 10, 2023
affected < 1.11.0-r1fixed 1.11.0-r1
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality.
CVE-2023-45284Nov 9, 2023
affected < 0fixed 0
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr
CVE-2023-45283Nov 9, 2023
affected < 0fixed 0
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
CVE-2023-39325Oct 11, 2023
affected < 1.10.3-r6fixed 1.10.3-r6
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
CVE-2023-3978Aug 2, 2023
affected < 1.10.3-r6fixed 1.10.3-r6
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
CVE-2023-33959Jun 6, 2023
affected < 1.11.0-r1fixed 1.11.0-r1
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-r
CVE-2023-34091Jun 1, 2023
affected < 0fixed 0
Kyverno is a policy engine designed for Kubernetes. In versions of Kyverno prior to 1.10.0, resources which have the `deletionTimestamp` field defined can bypass validate, generate, or mutate-existing policies, even in cases where the `validationFailureAction` field is set to `En
CVE-2023-33199May 26, 2023
affected < 0fixed 0
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client re

Page 1 of 2