apk package
chainguard/vault-1.17
pkg:apk/chainguard/vault-1.17
Vulnerabilities (70)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45338 | Med | 5.3 | < 1.17.6-r2 | 1.17.6-r2 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-45337 | Cri | 9.1 | < 1.17.6-r2 | 1.17.6-r2 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2024-36620 | — | < 1.17.6-r18 | 1.17.6-r18 | Nov 29, 2024 | moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go. | ||
| CVE-2024-51744 | Low | 3.1 | < 1.17.6-r1 | 1.17.6-r1 | Nov 4, 2024 | golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r | |
| CVE-2024-7594 | — | < 1.17.6-r9 | 1.17.6-r9 | Sep 26, 2024 | Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engin | ||
| CVE-2024-34158 | Hig | 7.5 | < 1.17.6-r9 | 1.17.6-r9 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |
| CVE-2024-34156 | Hig | 7.5 | < 1.17.6-r9 | 1.17.6-r9 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 1.17.6-r9 | 1.17.6-r9 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | |
| CVE-2024-41110 | Cri | 9.9 | < 1.17.6-r18 | 1.17.6-r18 | Jul 24, 2024 | Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood | |
| CVE-2024-28180 | — | < 1.17.6-r18 | 1.17.6-r18 | Mar 9, 2024 | Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret |
- affected < 1.17.6-r2fixed 1.17.6-r2
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 1.17.6-r2fixed 1.17.6-r2
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- CVE-2024-36620Nov 29, 2024affected < 1.17.6-r18fixed 1.17.6-r18
moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference via daemon/images/image_history.go.
- affected < 1.17.6-r1fixed 1.17.6-r1
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors r
- CVE-2024-7594Sep 26, 2024affected < 1.17.6-r9fixed 1.17.6-r9
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engin
- affected < 1.17.6-r9fixed 1.17.6-r9
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- affected < 1.17.6-r9fixed 1.17.6-r9
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 1.17.6-r9fixed 1.17.6-r9
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
- affected < 1.17.6-r18fixed 1.17.6-r18
Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood
- CVE-2024-28180Mar 9, 2024affected < 1.17.6-r18fixed 1.17.6-r18
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret
Page 4 of 4