apk package

chainguard/temporal-server-fips

pkg:apk/chainguard/temporal-server-fips

Vulnerabilities (58)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-45341	Med	6.1	< 1.26.2-r1	1.26.2-r1	Jan 28, 2025	A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVE-2024-45336	Med	6.1	< 1.26.2-r1	1.26.2-r1	Jan 28, 2025	The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
CVE-2024-45338	Med	5.3	< 1.25.2-r3	1.25.2-r3	Dec 18, 2024	An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2024-45337	Cri	9.1	< 1.25.2-r2	1.25.2-r2	Dec 12, 2024	Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-51744	Low	3.1	< 1.27.1-r3	1.27.1-r3	Nov 4, 2024	golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
CVE-2023-45288	Hig	7.5	< 1.23.0-r4	1.23.0-r4	Apr 4, 2024	An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-27304	Cri	9.8	< 1.23.0-r1	1.23.0-r1	Mar 6, 2024	pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the atta
CVE-2024-24786	Hig	7.5	< 1.22.6-r2	1.22.6-r2	Mar 5, 2024	The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24785	Med	5.4	< 1.22.6-r1	1.22.6-r1	Mar 5, 2024	If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
CVE-2024-24784	Hig	7.5	< 1.22.6-r1	1.22.6-r1	Mar 5, 2024	The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
CVE-2024-24783	Med	5.9	< 1.22.6-r1	1.22.6-r1	Mar 5, 2024	Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
CVE-2023-45290	Med	6.5	< 1.22.6-r1	1.22.6-r1	Mar 5, 2024	When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
CVE-2023-45289	Med	4.3	< 1.22.6-r1	1.22.6-r1	Mar 5, 2024	When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
CVE-2023-48795	Med	5.9	< 1.22.3-r2	1.22.3-r2	Dec 18, 2023	The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
CVE-2023-47108		—	< 1.23.0-r0	1.23.0-r0	Nov 10, 2023	OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality.
CVE-2023-45284		—	< 0	0	Nov 9, 2023	On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr
CVE-2023-45283		—	< 0	0	Nov 9, 2023	The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
CVE-2023-3485		—	< 0	0	Jun 30, 2023	Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server fl

CVE-2024-45341MedJan 28, 2025
affected < 1.26.2-r1fixed 1.26.2-r1
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVE-2024-45336MedJan 28, 2025
affected < 1.26.2-r1fixed 1.26.2-r1
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
CVE-2024-45338MedDec 18, 2024
affected < 1.25.2-r3fixed 1.25.2-r3
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2024-45337CriDec 12, 2024
affected < 1.25.2-r2fixed 1.25.2-r2
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-51744LowNov 4, 2024
affected < 1.27.1-r3fixed 1.27.1-r3
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
CVE-2023-45288HigApr 4, 2024
affected < 1.23.0-r4fixed 1.23.0-r4
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
CVE-2024-27304CriMar 6, 2024
affected < 1.23.0-r1fixed 1.23.0-r1
pgx is a PostgreSQL driver and toolkit for Go. SQL injection can occur if an attacker can cause a single query or bind message to exceed 4 GB in size. An integer overflow in the calculated message size can cause the one large message to be sent as multiple messages under the atta
CVE-2024-24786HigMar 5, 2024
affected < 1.22.6-r2fixed 1.22.6-r2
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
CVE-2024-24785MedMar 5, 2024
affected < 1.22.6-r1fixed 1.22.6-r1
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
CVE-2024-24784HigMar 5, 2024
affected < 1.22.6-r1fixed 1.22.6-r1
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
CVE-2024-24783MedMar 5, 2024
affected < 1.22.6-r1fixed 1.22.6-r1
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
CVE-2023-45290MedMar 5, 2024
affected < 1.22.6-r1fixed 1.22.6-r1
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
CVE-2023-45289MedMar 5, 2024
affected < 1.22.6-r1fixed 1.22.6-r1
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati
CVE-2023-48795MedDec 18, 2023
affected < 1.22.3-r2fixed 1.22.3-r2
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end
CVE-2023-47108Nov 10, 2023
affected < 1.23.0-r0fixed 1.23.0-r0
OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Starting in version 0.37.0 and prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality.
CVE-2023-45284Nov 9, 2023
affected < 0fixed 0
On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr
CVE-2023-45283Nov 9, 2023
affected < 0fixed 0
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
CVE-2023-3485Jun 30, 2023
affected < 0fixed 0
Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server fl

Page 3 of 3