apk package
chainguard/kyverno-cli-1.17
pkg:apk/chainguard/kyverno-cli-1.17
Vulnerabilities (38)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41178 | Med | 5.3 | < 1.17.2-r12 | 1.17.2-r12 | Jun 4, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss | |
| CVE-2026-42507 | Med | 5.3 | < 1.17.2-r10 | 1.17.2-r10 | Jun 2, 2026 | When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged. | |
| CVE-2026-42504 | Hig | 7.5 | < 1.17.2-r10 | 1.17.2-r10 | Jun 2, 2026 | Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU. | |
| CVE-2026-27145 | Med | 6.5 | < 1.17.2-r10 | 1.17.2-r10 | Jun 2, 2026 | (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic | |
| CVE-2026-45571 | Med | 5.4 | < 1.17.2-r6 | 1.17.2-r6 | May 27, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These v | |
| CVE-2026-45570 | Cri | 9.6 | < 1.17.2-r6 | 1.17.2-r6 | May 27, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A reposito | |
| CVE-2026-45022 | Hig | 7.5 | < 1.17.2-r5 | 1.17.2-r5 | May 27, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representa | |
| CVE-2026-42506 | Med | 6.1 | < 1.17.2-r9 | 1.17.2-r9 | May 22, 2026 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | |
| CVE-2026-42502 | Med | 6.1 | < 1.17.2-r9 | 1.17.2-r9 | May 22, 2026 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | |
| CVE-2026-27136 | Med | 6.1 | < 1.17.2-r9 | 1.17.2-r9 | May 22, 2026 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | |
| CVE-2026-25681 | Med | 6.1 | < 1.17.2-r9 | 1.17.2-r9 | May 22, 2026 | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | |
| CVE-2026-25680 | Med | 6.5 | < 1.17.2-r9 | 1.17.2-r9 | May 22, 2026 | Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. | |
| CVE-2026-41506 | Med | 4.7 | < 1.17.1-r16 | 1.17.1-r16 | May 8, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 | |
| CVE-2026-41485 | Hig | 7.7 | < 1.17.2-r1 | 1.17.2-r1 | Apr 24, 2026 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide ba | |
| CVE-2026-41323 | Hig | 8.1 | < 1.17.2-r1 | 1.17.2-r1 | Apr 24, 2026 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The | |
| CVE-2026-32952 | Med | 5.3 | < 1.17.1-r17 | 1.17.1-r17 | Apr 24, 2026 | go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc | |
| CVE-2026-39984 | Med | 5.5 | < 1.17.1-r15 | 1.17.1-r15 | Apr 15, 2026 | Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-speci | |
| CVE-2026-39883 | Hig | 7.0 | < 1.17.1-r12 | 1.17.1-r12 | Apr 8, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf | |
| CVE-2026-32289 | Med | 6.1 | < 1.17.2-r9 | 1.17.2-r9 | Apr 8, 2026 | Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es | |
| CVE-2026-32288 | Med | 5.5 | < 1.17.2-r9 | 1.17.2-r9 | Apr 8, 2026 | tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. |
- affected < 1.17.2-r12fixed 1.17.2-r12
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss
- affected < 1.17.2-r10fixed 1.17.2-r10
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.
- affected < 1.17.2-r10fixed 1.17.2-r10
Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.
- affected < 1.17.2-r10fixed 1.17.2-r10
(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic
- affected < 1.17.2-r6fixed 1.17.2-r6
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These v
- affected < 1.17.2-r6fixed 1.17.2-r6
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A reposito
- affected < 1.17.2-r5fixed 1.17.2-r5
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representa
- affected < 1.17.2-r9fixed 1.17.2-r9
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
- affected < 1.17.2-r9fixed 1.17.2-r9
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
- affected < 1.17.2-r9fixed 1.17.2-r9
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
- affected < 1.17.2-r9fixed 1.17.2-r9
Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.
- affected < 1.17.2-r9fixed 1.17.2-r9
Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.
- affected < 1.17.1-r16fixed 1.17.1-r16
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0
- affected < 1.17.2-r1fixed 1.17.2-r1
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide ba
- affected < 1.17.2-r1fixed 1.17.2-r1
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The
- affected < 1.17.1-r17fixed 1.17.1-r17
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc
- affected < 1.17.1-r15fixed 1.17.1-r15
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-speci
- affected < 1.17.1-r12fixed 1.17.1-r12
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
- affected < 1.17.2-r9fixed 1.17.2-r9
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es
- affected < 1.17.2-r9fixed 1.17.2-r9
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
Page 1 of 2