VYPR

apk package

chainguard/tekton-pipelines-entrypoint-1.10

pkg:apk/chainguard/tekton-pipelines-entrypoint-1.10

Vulnerabilities (11)

  • CVE-2026-42507MedJun 2, 2026
    affected < 1.10.2-r12fixed 1.10.2-r12

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42504HigJun 2, 2026
    affected < 0fixed 0

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-27145MedJun 2, 2026
    affected < 1.10.2-r12fixed 1.10.2-r12

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic

  • CVE-2026-33814HigMay 7, 2026
    affected < 1.10.2-r8fixed 1.10.2-r8

    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

  • CVE-2026-39883HigApr 8, 2026
    affected < 1.10.2-r11fixed 1.10.2-r11

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf

  • CVE-2026-39882MedApr 8, 2026
    affected < 1.10.2-r6fixed 1.10.2-r6

    OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector e

  • CVE-2026-34986HigApr 6, 2026
    affected < 1.10.2-r3fixed 1.10.2-r3

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW

  • CVE-2026-33186CriMar 20, 2026
    affected < 1.10.2-r1fixed 1.10.2-r1

    gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi

  • CVE-2026-33022Mar 20, 2026
    affected < 1.10.2-r0fixed 1.10.2-r0

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can creat

  • CVE-2026-27141HigFeb 26, 2026
    affected < 1.10.0-r1fixed 1.10.0-r1

    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

  • CVE-2023-37264Jul 7, 2023
    affected < 0fixed 0

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.35.0, pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will ac