apk package
chainguard/mattermost-11.4
pkg:apk/chainguard/mattermost-11.4
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27143 | Cri | 9.8 | < 11.4.5-r0 | 11.4.5-r0 | Apr 8, 2026 | Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption. | |
| CVE-2026-27140 | Hig | 8.8 | < 11.4.5-r0 | 11.4.5-r0 | Apr 8, 2026 | SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. | |
| CVE-2026-33487 | Hig | 7.5 | < 11.4.3-r2 | 11.4.3-r2 | Mar 26, 2026 | goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo | |
| CVE-2026-33809 | Med | 5.3 | < 11.4.3-r3 | 11.4.3-r3 | Mar 25, 2026 | A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error. | |
| CVE-2026-33186 | Cri | 9.1 | < 11.4.3-r1 | 11.4.3-r1 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-27141 | Hig | 7.5 | < 11.4.3-r4 | 11.4.3-r4 | Feb 26, 2026 | Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic | |
| CVE-2026-26958 | Low | — | < 0 | 0 | Feb 19, 2026 | filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin | |
| CVE-2022-4045 | — | < 0 | 0 | Nov 23, 2022 | A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. | ||
| CVE-2022-4019 | — | < 0 | 0 | Nov 23, 2022 | A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints. |
- affected < 11.4.5-r0fixed 11.4.5-r0
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
- affected < 11.4.5-r0fixed 11.4.5-r0
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- affected < 11.4.3-r2fixed 11.4.3-r2
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo
- affected < 11.4.3-r3fixed 11.4.3-r3
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
- affected < 11.4.3-r1fixed 11.4.3-r1
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- affected < 11.4.3-r4fixed 11.4.3-r4
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
- affected < 0fixed 0
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Poin
- CVE-2022-4045Nov 23, 2022affected < 0fixed 0
A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.
- CVE-2022-4019Nov 23, 2022affected < 0fixed 0
A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.
Page 2 of 2