VYPR

apk package

chainguard/xeol-fips

pkg:apk/chainguard/xeol-fips

Vulnerabilities (70)

  • CVE-2025-8959Aug 15, 2025
    affected < 0.10.8-r12fixed 0.10.8-r12

    HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9.

  • CVE-2025-47907Aug 7, 2025
    affected < 0.10.8-r10fixed 0.10.8-r10

    Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex

  • CVE-2025-8556LowAug 6, 2025
    affected < 0.10.8-r8fixed 0.10.8-r8

    A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.

  • CVE-2025-54410Jul 30, 2025
    affected < 0.10.8-r12fixed 0.10.8-r12

    Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fail

  • CVE-2025-22872MedApr 16, 2025
    affected < 0.10.8-r7fixed 0.10.8-r7

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul

  • CVE-2025-30204HigMar 21, 2025
    affected < 0.10.8-r5fixed 0.10.8-r5

    golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

  • CVE-2024-40635Mar 17, 2025
    affected < 0.10.8-r4fixed 0.10.8-r4

    containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ult

  • CVE-2025-22870MedMar 12, 2025
    affected < 0.10.8-r2fixed 0.10.8-r2

    Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

  • CVE-2025-22868Feb 26, 2025
    affected < 0.10.8-r3fixed 0.10.8-r3

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 0.10.8-r1fixed 0.10.8-r1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Page 4 of 4