VYPR

apk package

chainguard/pact-broker-docker-fips

pkg:apk/chainguard/pact-broker-docker-fips

Vulnerabilities (14)

  • CVE-2026-39324CriApr 7, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of reject

  • CVE-2026-34835MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and

  • CVE-2026-34827HigApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches

  • CVE-2026-32762MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally

  • CVE-2026-26962MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values s

  • CVE-2026-34831MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length

  • CVE-2026-34830MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the head

  • CVE-2026-34829HigApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HT

  • CVE-2026-34826MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte c

  • CVE-2026-34786MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a re

  • CVE-2026-34785HigApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path

  • CVE-2026-34763MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or .,

  • CVE-2026-34230MedApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Defl

  • CVE-2026-26961LowApr 2, 2026
    affected < 2.137.0.2.118.0-r2fixed 2.137.0.2.118.0-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack sel