VYPR

apk package

chainguard/kyverno-cli-fips-1.16

pkg:apk/chainguard/kyverno-cli-fips-1.16

Vulnerabilities (47)

  • CVE-2026-24117Jan 22, 2026
    affected < 1.16.3-r2fixed 1.16.3-r2

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the reque

  • CVE-2026-23831Jan 22, 2026
    affected < 1.16.3-r2fixed 1.16.3-r2

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (succe

  • CVE-2026-23992Jan 22, 2026
    affected < 1.16.3-r3fixed 1.16.3-r3

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This

  • CVE-2026-23991Jan 22, 2026
    affected < 1.16.3-r3fixed 1.16.3-r3

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing,

  • CVE-2026-22703Jan 10, 2026
    affected < 1.16.3-r1fixed 1.16.3-r1

    Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When v

  • CVE-2025-66564Dec 4, 2025
    affected < 1.16.3-r1fixed 1.16.3-r1

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits t

  • CVE-2025-66506Dec 4, 2025
    affected < 1.16.2-r1fixed 1.16.2-r1

    Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in th

Page 3 of 3