VYPR

apk package

chainguard/metrics-server-compat

pkg:apk/chainguard/metrics-server-compat

Vulnerabilities (45)

  • CVE-2025-22868Feb 26, 2025
    affected < 0.7.2-r9fixed 0.7.2-r9

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 0.7.2-r8fixed 0.7.2-r8

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-22866MedFeb 6, 2025
    affected < 0.7.2-r5fixed 0.7.2-r5

    Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover

  • CVE-2024-45338MedDec 18, 2024
    affected < 0.7.2-r3fixed 0.7.2-r3

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-45337CriDec 12, 2024
    affected < 0.7.2-r2fixed 0.7.2-r2

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

  • CVE-2024-34158HigSep 6, 2024
    affected < 0.7.2-r1fixed 0.7.2-r1

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

  • CVE-2024-34156HigSep 6, 2024
    affected < 0.7.2-r1fixed 0.7.2-r1

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2024-34155MedSep 6, 2024
    affected < 0.7.2-r1fixed 0.7.2-r1

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

  • CVE-2024-24788MedMay 8, 2024
    affected < 0.7.1-r3fixed 0.7.1-r3

    A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

  • CVE-2024-24786HigMar 5, 2024
    affected < 0.7.0-r2fixed 0.7.0-r2

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2023-45285Dec 6, 2023
    affected < 0.6.4-r8fixed 0.6.4-r8

    Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not

  • CVE-2023-39326Dec 6, 2023
    affected < 0.6.4-r8fixed 0.6.4-r8

    A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d

  • CVE-2023-47108Nov 10, 2023
    affected < 0.8.0-r4fixed 0.8.0-r4

    OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality.

  • CVE-2023-45284Nov 9, 2023
    affected < 0fixed 0

    On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr

  • CVE-2023-45283Nov 9, 2023
    affected < 0fixed 0

    The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,

  • CVE-2023-39325Oct 11, 2023
    affected < 0.6.4-r4fixed 0.6.4-r4

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack

  • CVE-2023-39323Oct 5, 2023
    affected < 0.6.4-r2fixed 0.6.4-r2

    Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires

  • CVE-2023-39322Sep 8, 2023
    affected < 0.6.4-r1fixed 0.6.4-r1

    QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

  • CVE-2023-39321Sep 8, 2023
    affected < 0.6.4-r1fixed 0.6.4-r1

    Processing an incomplete post-handshake message for a QUIC connection can cause a panic.

  • CVE-2023-39319Sep 8, 2023
    affected < 0.6.4-r1fixed 0.6.4-r1

    The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be

Page 2 of 3