apk package
chainguard/mise
pkg:apk/chainguard/mise
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6967 | Med | 5.9 | < 2026.5.8-r0 | 2026.5.8-r0 | Apr 24, 2026 | Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the lo | |
| CVE-2026-6966 | Med | 5.3 | < 2026.5.8-r0 | 2026.5.8-r0 | Apr 24, 2026 | Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged | |
| CVE-2026-33056 | — | < 2026.3.17-r0 | 2026.3.17-r0 | Mar 20, 2026 | tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, | ||
| CVE-2026-33055 | — | < 2026.3.17-r0 | 2026.3.17-r0 | Mar 20, 2026 | tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz | ||
| CVE-2026-32766 | Med | 5.3 | < 2026.4.15-r0 | 2026.4.15-r0 | Mar 20, 2026 | astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building bl |
- affected < 2026.5.8-r0fixed 2026.5.8-r0
Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the lo
- affected < 2026.5.8-r0fixed 2026.5.8-r0
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged
- CVE-2026-33056Mar 20, 2026affected < 2026.3.17-r0fixed 2026.3.17-r0
tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links,
- CVE-2026-33055Mar 20, 2026affected < 2026.3.17-r0fixed 2026.3.17-r0
tar-rs is a tar archive reading/writing library for Rust. Versions 0.4.44 and below have conditional logic that skips the PAX size header in cases where the base header size is nonzero. As part of CVE-2025-62518, the astral-tokio-tar project was changed to correctly honor PAX siz
- affected < 2026.4.15-r0fixed 2026.4.15-r0
astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping (rather than rejection) of invalid PAX extensions could be used as a building bl