VYPR

apk package

chainguard/kyverno-init-container-fips-1.16

pkg:apk/chainguard/kyverno-init-container-fips-1.16

Vulnerabilities (41)

  • CVE-2026-41485HigApr 24, 2026
    affected < 1.16.4-r1fixed 1.16.4-r1

    Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the `forEach` mutation handler allows any user with permission to create a `Policy` or `ClusterPolicy` to crash the cluster-wide ba

  • CVE-2026-32952MedApr 24, 2026
    affected < 1.16.3-r16fixed 1.16.3-r16

    go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc

  • CVE-2026-39984MedApr 15, 2026
    affected < 1.16.4-r1fixed 1.16.4-r1

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-speci

  • CVE-2026-39883HigApr 8, 2026
    affected < 1.16.4-r6fixed 1.16.4-r6

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-34986HigApr 6, 2026
    affected < 1.16.3-r12fixed 1.16.3-r12

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-4789CriMar 30, 2026
    affected < 1.16.3-r13fixed 1.16.3-r13

    Kyverno, versions 1.16.0 and later, are vulnerable to SSRF due to unrestricted CEL HTTP functions.

  • CVE-2026-33186CriMar 20, 2026
    affected < 1.16.3-r10fixed 1.16.3-r10

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2025-15558Mar 4, 2026
    affected < 1.16.3-r7fixed 1.16.3-r7

    Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are

  • CVE-2026-1229Feb 24, 2026
    affected < 1.16.3-r5fixed 1.16.3-r5

    The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://

  • CVE-2026-24051HigFeb 2, 2026
    affected < 1.16.3-r6fixed 1.16.3-r6

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman

  • CVE-2026-23881Jan 27, 2026
    affected < 1.16.3-r0fixed 1.16.3-r0

    Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that

  • CVE-2026-22039Jan 27, 2026
    affected < 1.16.3-r0fixed 1.16.3-r0

    Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller Servi

  • CVE-2026-24686Jan 27, 2026
    affected < 1.16.3-r3fixed 1.16.3-r3

    go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.

  • CVE-2026-24137MedJan 23, 2026
    affected < 1.16.3-r3fixed 1.16.3-r3

    sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target na

  • CVE-2026-24117Jan 22, 2026
    affected < 1.16.3-r2fixed 1.16.3-r2

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the reque

  • CVE-2026-23831Jan 22, 2026
    affected < 1.16.3-r2fixed 1.16.3-r2

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (succe

  • CVE-2026-23992Jan 22, 2026
    affected < 1.16.3-r3fixed 1.16.3-r3

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This

  • CVE-2026-23991Jan 22, 2026
    affected < 1.16.3-r3fixed 1.16.3-r3

    go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing,

  • CVE-2026-22703Jan 10, 2026
    affected < 1.16.3-r1fixed 1.16.3-r1

    Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When v

  • CVE-2025-66564Dec 4, 2025
    affected < 1.16.3-r1fixed 1.16.3-r1

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits t