apk package
chainguard/linkerd2-metrics-api
pkg:apk/chainguard/linkerd2-metrics-api
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-12224 | — | < 24.11.8-r1 | 24.11.8-r1 | May 30, 2025 | Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. | ||
| CVE-2024-40635 | — | < 25.3.3-r0 | 25.3.3-r0 | Mar 17, 2025 | containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult | ||
| CVE-2025-22868 | — | < 25.3.1-r1 | 25.3.1-r1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22866 | Med | 4.0 | < 25.1.2-r2 | 25.1.2-r2 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover | |
| CVE-2025-24898 | Med | — | < 25.1.2-r1 | 25.1.2-r1 | Feb 3, 2025 | rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's | |
| CVE-2024-45337 | Cri | 9.1 | < 24.11.8-r1 | 24.11.8-r1 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that |
- CVE-2024-12224May 30, 2025affected < 24.11.8-r1fixed 24.11.8-r1
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.
- CVE-2024-40635Mar 17, 2025affected < 25.3.3-r0fixed 25.3.3-r0
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult
- CVE-2025-22868Feb 26, 2025affected < 25.3.1-r1fixed 25.3.1-r1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- affected < 25.1.2-r2fixed 25.1.2-r2
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
- affected < 25.1.2-r1fixed 25.1.2-r1
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `sever` buffer's
- affected < 24.11.8-r1fixed 24.11.8-r1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
Page 2 of 2