apk package

chainguard/vitess-20.0

pkg:apk/chainguard/vitess-20.0

Vulnerabilities (20)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2025-4673	Med	6.8		< 20.0.7-r4	20.0.7-r4	Jun 11, 2025	Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22874	Hig	7.5		< 20.0.7-r4	20.0.7-r4	Jun 11, 2025	Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVE-2025-46565		—		< 20.0.7-r3	20.0.7-r3	May 1, 2025	Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server t
CVE-2025-22872	Med	6.5		< 20.0.7-r2	20.0.7-r2	Apr 16, 2025	The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-32395	Med	—		< 20.0.7-r1	20.0.7-r1	Apr 10, 2025	Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Althoug
CVE-2025-31486	Med	5.3		< 20.0.6-r7	20.0.6-r7	Apr 3, 2025	Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file
CVE-2025-31125		—	KEV	< 20.0.6-r6	20.0.6-r6	Mar 31, 2025	Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fix
CVE-2025-30208		—		< 20.0.6-r5	20.0.6-r5	Mar 24, 2025	Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns
CVE-2025-22870	Med	4.4		< 20.0.6-r3	20.0.6-r3	Mar 12, 2025	Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-27789	Med	6.2		< 20.0.6-r4	20.0.6-r4	Mar 11, 2025	Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specif
CVE-2025-22868		—		< 20.0.6-r2	20.0.6-r2	Feb 26, 2025	An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869		—		< 20.0.6-r2	20.0.6-r2	Feb 26, 2025	SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-22866	Med	4.0		< 20.0.5-r1	20.0.5-r1	Feb 6, 2025	Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45339	Hig	7.1		< 20.0.5-r0	20.0.5-r0	Jan 28, 2025	When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and
CVE-2024-45337	Cri	9.1		< 20.0.4-r1	20.0.4-r1	Dec 12, 2024	Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-55565	Med	4.3		< 20.0.4-r3	20.0.4-r3	Dec 9, 2024	nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
CVE-2024-53257	Med	4.9		< 0	0	Dec 3, 2024	Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages
CVE-2024-47764	Med	—		< 20.0.4-r3	20.0.4-r3	Oct 4, 2024	cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo
CVE-2024-47068		—		< 20.0.2-r2	20.0.2-r2	Sep 23, 2024	Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can
CVE-2024-45296	Hig	7.5		< 20.0.3-r0	20.0.3-r0	Sep 9, 2024	path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will

CVE-2025-4673MedJun 11, 2025
affected < 20.0.7-r4fixed 20.0.7-r4
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
CVE-2025-22874HigJun 11, 2025
affected < 20.0.7-r4fixed 20.0.7-r4
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
CVE-2025-46565May 1, 2025
affected < 20.0.7-r3fixed 20.0.7-r3
Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server t
CVE-2025-22872MedApr 16, 2025
affected < 20.0.7-r2fixed 20.0.7-r2
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
CVE-2025-32395MedApr 10, 2025
affected < 20.0.7-r1fixed 20.0.7-r1
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Althoug
CVE-2025-31486MedApr 3, 2025
affected < 20.0.6-r7fixed 20.0.6-r7
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file
CVE-2025-31125KEVMar 31, 2025
affected < 20.0.6-r6fixed 20.0.6-r6
Vite is a frontend tooling framework for javascript. Vite exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. This vulnerability is fix
CVE-2025-30208Mar 24, 2025
affected < 20.0.6-r5fixed 20.0.6-r5
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns
CVE-2025-22870MedMar 12, 2025
affected < 20.0.6-r3fixed 20.0.6-r3
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CVE-2025-27789MedMar 11, 2025
affected < 20.0.6-r4fixed 20.0.6-r4
Babel is a compiler for writing next generation JavaScript. When using versions of Babel prior to 7.26.10 and 8.0.0-alpha.17 to compile regular expression named capturing groups, Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specif
CVE-2025-22868Feb 26, 2025
affected < 20.0.6-r2fixed 20.0.6-r2
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CVE-2025-22869Feb 26, 2025
affected < 20.0.6-r2fixed 20.0.6-r2
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CVE-2025-22866MedFeb 6, 2025
affected < 20.0.5-r1fixed 20.0.5-r1
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
CVE-2024-45339HigJan 28, 2025
affected < 20.0.5-r0fixed 20.0.5-r0
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and
CVE-2024-45337CriDec 12, 2024
affected < 20.0.4-r1fixed 20.0.4-r1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
CVE-2024-55565MedDec 9, 2024
affected < 20.0.4-r3fixed 20.0.4-r3
nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.
CVE-2024-53257MedDec 3, 2024
affected < 0fixed 0
Vitess is a database clustering system for horizontal scaling of MySQL. The /debug/querylogz and /debug/env pages for vtgate and vttablet do not properly escape user input. The result is that queries executed by Vitess can write HTML into the monitoring page at will. These pages
CVE-2024-47764MedOct 4, 2024
affected < 20.0.4-r3fixed 20.0.4-r3
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo
CVE-2024-47068Sep 23, 2024
affected < 20.0.2-r2fixed 20.0.2-r2
Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can
CVE-2024-45296HigSep 9, 2024
affected < 20.0.3-r0fixed 20.0.3-r0
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will