apk package
chainguard/mattermost-11.5
pkg:apk/chainguard/mattermost-11.5
Vulnerabilities (34)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32288 | Med | 5.5 | < 11.5.4-r0 | 11.5.4-r0 | Apr 8, 2026 | tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. | |
| CVE-2026-32283 | Hig | 7.5 | < 11.5.4-r0 | 11.5.4-r0 | Apr 8, 2026 | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | |
| CVE-2026-32282 | Med | 6.4 | < 0 | 0 | Apr 8, 2026 | On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R | |
| CVE-2026-32281 | Hig | 7.5 | < 11.5.4-r0 | 11.5.4-r0 | Apr 8, 2026 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C | |
| CVE-2026-32280 | Hig | 7.5 | < 11.5.4-r0 | 11.5.4-r0 | Apr 8, 2026 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls | |
| CVE-2026-27144 | Hig | 7.1 | < 11.5.4-r0 | 11.5.4-r0 | Apr 8, 2026 | The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime. | |
| CVE-2026-27143 | Cri | 9.8 | < 11.5.4-r0 | 11.5.4-r0 | Apr 8, 2026 | Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption. | |
| CVE-2026-27140 | Hig | 8.8 | < 11.5.4-r0 | 11.5.4-r0 | Apr 8, 2026 | SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass. | |
| CVE-2026-33487 | Hig | 7.5 | < 11.5.1-r2 | 11.5.1-r2 | Mar 26, 2026 | goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo | |
| CVE-2026-33809 | Med | 5.3 | < 11.5.1-r3 | 11.5.1-r3 | Mar 25, 2026 | A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error. | |
| CVE-2026-33186 | Cri | 9.1 | < 11.5.1-r2 | 11.5.1-r2 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-27141 | Hig | 7.5 | < 11.5.1-r4 | 11.5.1-r4 | Feb 26, 2026 | Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic | |
| CVE-2022-4045 | — | < 0 | 0 | Nov 23, 2022 | A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data. | ||
| CVE-2022-4019 | — | < 0 | 0 | Nov 23, 2022 | A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints. |
- affected < 11.5.4-r0fixed 11.5.4-r0
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
- affected < 11.5.4-r0fixed 11.5.4-r0
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.
- affected < 0fixed 0
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R
- affected < 11.5.4-r0fixed 11.5.4-r0
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C
- affected < 11.5.4-r0fixed 11.5.4-r0
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls
- affected < 11.5.4-r0fixed 11.5.4-r0
The compiler is meant to unwrap pointers which are the operands of a memory move; a no-op interface conversion prevented the compiler from making the correct determination about non-overlapping moves, potentially leading to memory corruption at runtime.
- affected < 11.5.4-r0fixed 11.5.4-r0
Arithmetic over induction variables in loops were not correctly checked for underflow or overflow. As a result, the compiler would allow for invalid indexing to occur at runtime, potentially leading to memory corruption.
- affected < 11.5.4-r0fixed 11.5.4-r0
SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.
- affected < 11.5.1-r2fixed 11.5.1-r2
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mo
- affected < 11.5.1-r3fixed 11.5.1-r3
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
- affected < 11.5.1-r2fixed 11.5.1-r2
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- affected < 11.5.1-r4fixed 11.5.1-r4
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
- CVE-2022-4045Nov 23, 2022affected < 0fixed 0
A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.
- CVE-2022-4019Nov 23, 2022affected < 0fixed 0
A denial-of-service vulnerability in the Mattermost Playbooks plugin allows an authenticated user to crash the server via multiple large requests to one of the Playbooks API endpoints.
Page 2 of 2