apk package
chainguard/rclone-fips
pkg:apk/chainguard/rclone-fips
Vulnerabilities (47)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-46602 | — | < 1.74.3-r2 | 1.74.3-r2 | Jun 27, 2026 | The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption. | ||
| CVE-2026-46604 | — | < 1.74.3-r2 | 1.74.3-r2 | Jun 27, 2026 | The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset. | ||
| CVE-2026-46601 | mod | 6.5 | < 1.74.3-r2 | 1.74.3-r2 | Jun 25, 2026 | golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images | |
| CVE-2026-41178 | Med | 5.3 | < 1.74.3-r3 | 1.74.3-r3 | Jun 4, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss | |
| CVE-2026-44740 | Med | 6.5 | < 1.74.1-r2 | 1.74.1-r2 | Jun 1, 2026 | Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise | |
| CVE-2026-44973 | Hig | 8.1 | < 1.74.1-r2 | 1.74.1-r2 | May 28, 2026 | Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. | |
| CVE-2026-42501 | Hig | 7.5 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser | |
| CVE-2026-42499 | Hig | 7.5 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. | |
| CVE-2026-39836 | Hig | 7.5 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). | |
| CVE-2026-39826 | Med | 6.1 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block. | |
| CVE-2026-39825 | Med | 5.3 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa | |
| CVE-2026-39823 | Med | 6.1 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le | |
| CVE-2026-39820 | Hig | 7.5 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. | |
| CVE-2026-39819 | Med | 5.3 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink. | |
| CVE-2026-39817 | Med | 5.9 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem. | |
| CVE-2026-33814 | Hig | 7.5 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. | |
| CVE-2026-33811 | Hig | 7.5 | < 1.74.1-r0 | 1.74.1-r0 | May 7, 2026 | When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. | |
| CVE-2026-32952 | Med | 5.3 | < 1.73.5-r1 | 1.73.5-r1 | Apr 24, 2026 | go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc | |
| CVE-2026-33813 | Hig | 7.5 | < 1.74.3-r1 | 1.74.3-r1 | Apr 21, 2026 | Parsing a WEBP image with an invalid, large size panics on 32-bit platforms. | |
| CVE-2026-32289 | Med | 6.1 | < 1.74.2-r2 | 1.74.2-r2 | Apr 8, 2026 | Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es |
- CVE-2026-46602Jun 27, 2026affected < 1.74.3-r2fixed 1.74.3-r2
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
- CVE-2026-46604Jun 27, 2026affected < 1.74.3-r2fixed 1.74.3-r2
The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.
- affected < 1.74.3-r2fixed 1.74.3-r2
golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images
- affected < 1.74.3-r3fixed 1.74.3-r3
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the iss
- affected < 1.74.1-r2fixed 1.74.1-r2
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise
- affected < 1.74.1-r2fixed 1.74.1-r2
Billy is an interface filesystem abstraction for Go. Prior to 5.9.0, multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories.
- affected < 1.74.1-r0fixed 1.74.1-r0
A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy (GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can ser
- affected < 1.74.1-r0fixed 1.74.1-r0
Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.
- affected < 1.74.1-r0fixed 1.74.1-r0
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
- affected < 1.74.1-r0fixed 1.74.1-r0
If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block.
- affected < 1.74.1-r0fixed 1.74.1-r0
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.Pa
- affected < 1.74.1-r0fixed 1.74.1-r0
CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, le
- affected < 1.74.1-r0fixed 1.74.1-r0
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
- affected < 1.74.1-r0fixed 1.74.1-r0
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one of these names, causing "go bug" to overwrite the target of the symlink.
- affected < 1.74.1-r0fixed 1.74.1-r0
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" subcommand can write files to arbitrary locations on the filesystem.
- affected < 1.74.1-r0fixed 1.74.1-r0
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
- affected < 1.74.1-r0fixed 1.74.1-r0
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
- affected < 1.73.5-r1fixed 1.73.5-r1
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using `ntlmssp.Negotiator` as an HTTP transport. Version 0.1.1 patc
- affected < 1.74.3-r1fixed 1.74.3-r1
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
- affected < 1.74.2-r2fixed 1.74.2-r2
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es
Page 1 of 3