apk package

chainguard/vitess-19.0

pkg:apk/chainguard/vitess-19.0

Vulnerabilities (20)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2025-4673	Med	6.8		< 19.0.10-r10	19.0.10-r10	Jun 11, 2025	Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22874	Hig	7.5		< 19.0.10-r10	19.0.10-r10	Jun 11, 2025	Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVE-2025-46565		—		< 19.0.10-r9	19.0.10-r9	May 1, 2025	Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server t
CVE-2025-22872	Med	6.5		< 19.0.10-r8	19.0.10-r8	Apr 16, 2025	The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-32395	Med	—		< 19.0.10-r7	19.0.10-r7	Apr 10, 2025	Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Althoug
CVE-2025-31486	Med	5.3		< 19.0.10-r6	19.0.10-r6	Apr 3, 2025	Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file
CVE-2025-31125		—	KEV	< 19.0.10-r5	19.0.10-r5	Mar 31, 2025	Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fix
CVE-2025-30208		—		< 19.0.10-r4	19.0.10-r4	Mar 24, 2025	Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns
CVE-2025-22868		—		< 19.0.10-r2	19.0.10-r2	Feb 26, 2025	An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869		—		< 19.0.10-r2	19.0.10-r2	Feb 26, 2025	SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-22866	Med	4.0		< 19.0.9-r1	19.0.9-r1	Feb 6, 2025	Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45341	Med	6.1		< 19.0.9-r0	19.0.9-r0	Jan 28, 2025	A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVE-2024-45339	Hig	7.1		< 19.0.9-r0	19.0.9-r0	Jan 28, 2025	When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and
CVE-2024-45336	Med	6.1		< 19.0.9-r0	19.0.9-r0	Jan 28, 2025	The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
CVE-2025-24010		—		< 19.0.9-r0	19.0.9-r0	Jan 20, 2025	Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6
CVE-2024-45338	Med	5.3		< 19.0.8-r1	19.0.8-r1	Dec 18, 2024	An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2024-45337	Cri	9.1		< 19.0.10-r3	19.0.10-r3	Dec 12, 2024	Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-55565	Med	4.3		< 19.0.8-r2	19.0.8-r2	Dec 9, 2024	nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
CVE-2024-53257	Med	4.9		< 0	0	Dec 3, 2024	Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages
CVE-2024-47764	Med	—		< 19.0.8-r2	19.0.8-r2	Oct 4, 2024	cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

CVE-2025-4673MedJun 11, 2025
affected < 19.0.10-r10fixed 19.0.10-r10
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22874HigJun 11, 2025
affected < 19.0.10-r10fixed 19.0.10-r10
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVE-2025-46565May 1, 2025
affected < 19.0.10-r9fixed 19.0.10-r9
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server t
CVE-2025-22872MedApr 16, 2025
affected < 19.0.10-r8fixed 19.0.10-r8
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-32395MedApr 10, 2025
affected < 19.0.10-r7fixed 19.0.10-r7
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Althoug
CVE-2025-31486MedApr 3, 2025
affected < 19.0.10-r6fixed 19.0.10-r6
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file
CVE-2025-31125KEVMar 31, 2025
affected < 19.0.10-r5fixed 19.0.10-r5
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fix
CVE-2025-30208Mar 24, 2025
affected < 19.0.10-r4fixed 19.0.10-r4
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns
CVE-2025-22868Feb 26, 2025
affected < 19.0.10-r2fixed 19.0.10-r2
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869Feb 26, 2025
affected < 19.0.10-r2fixed 19.0.10-r2
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-22866MedFeb 6, 2025
affected < 19.0.9-r1fixed 19.0.9-r1
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45341MedJan 28, 2025
affected < 19.0.9-r0fixed 19.0.9-r0
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVE-2024-45339HigJan 28, 2025
affected < 19.0.9-r0fixed 19.0.9-r0
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and
CVE-2024-45336MedJan 28, 2025
affected < 19.0.9-r0fixed 19.0.9-r0
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
CVE-2025-24010Jan 20, 2025
affected < 19.0.9-r0fixed 19.0.9-r0
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6
CVE-2024-45338MedDec 18, 2024
affected < 19.0.8-r1fixed 19.0.8-r1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
CVE-2024-45337CriDec 12, 2024
affected < 19.0.10-r3fixed 19.0.10-r3
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-55565MedDec 9, 2024
affected < 19.0.8-r2fixed 19.0.8-r2
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
CVE-2024-53257MedDec 3, 2024
affected < 0fixed 0
Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages
CVE-2024-47764MedOct 4, 2024
affected < 19.0.8-r2fixed 19.0.8-r2
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo