apk package
wolfi/dynamic-localpv-provisioner
pkg:apk/wolfi/dynamic-localpv-provisioner
Vulnerabilities (74)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-45283 | — | < 0 | 0 | Nov 9, 2023 | The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, | ||
| CVE-2023-39325 | — | < 3.4.1-r3 | 3.4.1-r3 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 3.4.1-r4 | 3.4.1-r4 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-3978 | — | < 3.4.1-r3 | 3.4.1-r3 | Aug 2, 2023 | Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. | ||
| CVE-2022-41723 | — | < 3.4.1-r3 | 3.4.1-r3 | Feb 28, 2023 | A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests. | ||
| CVE-2021-4238 | — | < 3.4.1-r3 | 3.4.1-r3 | Dec 27, 2022 | Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strin | ||
| CVE-2021-38561 | — | < 3.4.1-r3 | 3.4.1-r3 | Dec 26, 2022 | golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. | ||
| CVE-2022-32149 | — | < 3.4.1-r3 | 3.4.1-r3 | Oct 14, 2022 | An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. | ||
| CVE-2022-27664 | — | < 3.4.1-r3 | 3.4.1-r3 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2021-43565 | — | < 3.4.1-r3 | 3.4.1-r3 | Sep 6, 2022 | The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. | ||
| CVE-2022-29526 | — | < 3.4.1-r3 | 3.4.1-r3 | Jun 22, 2022 | Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. | ||
| CVE-2022-28948 | — | < 3.4.1-r3 | 3.4.1-r3 | May 19, 2022 | An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input. | ||
| CVE-2022-27191 | — | < 3.4.1-r3 | 3.4.1-r3 | Mar 18, 2022 | The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. | ||
| CVE-2022-21698 | — | < 3.4.1-r3 | 3.4.1-r3 | Feb 15, 2022 | client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde |
- CVE-2023-45283Nov 9, 2023affected < 0fixed 0
The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,
- CVE-2023-39325Oct 11, 2023affected < 3.4.1-r3fixed 3.4.1-r3
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 3.4.1-r4fixed 3.4.1-r4
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-3978Aug 2, 2023affected < 3.4.1-r3fixed 3.4.1-r3
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.
- CVE-2022-41723Feb 28, 2023affected < 3.4.1-r3fixed 3.4.1-r3
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
- CVE-2021-4238Dec 27, 2022affected < 3.4.1-r3fixed 3.4.1-r3
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strin
- CVE-2021-38561Dec 26, 2022affected < 3.4.1-r3fixed 3.4.1-r3
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.
- CVE-2022-32149Oct 14, 2022affected < 3.4.1-r3fixed 3.4.1-r3
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.
- CVE-2022-27664Sep 6, 2022affected < 3.4.1-r3fixed 3.4.1-r3
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2021-43565Sep 6, 2022affected < 3.4.1-r3fixed 3.4.1-r3
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
- CVE-2022-29526Jun 22, 2022affected < 3.4.1-r3fixed 3.4.1-r3
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
- CVE-2022-28948May 19, 2022affected < 3.4.1-r3fixed 3.4.1-r3
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.
- CVE-2022-27191Mar 18, 2022affected < 3.4.1-r3fixed 3.4.1-r3
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
- CVE-2022-21698Feb 15, 2022affected < 3.4.1-r3fixed 3.4.1-r3
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounde
Page 4 of 4