VYPR

apk package

wolfi/hey

pkg:apk/wolfi/hey

Vulnerabilities (79)

  • CVE-2023-45290MedMar 5, 2024
    affected < 0.1.4-r10fixed 0.1.4-r10

    When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line

  • CVE-2023-45289MedMar 5, 2024
    affected < 0.1.4-r10fixed 0.1.4-r10

    When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorizati

  • CVE-2023-45285Dec 6, 2023
    affected < 0.1.4-r9fixed 0.1.4-r9

    Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not

  • CVE-2023-39326Dec 6, 2023
    affected < 0.1.4-r9fixed 0.1.4-r9

    A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of d

  • CVE-2023-45284Nov 9, 2023
    affected < 0fixed 0

    On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr

  • CVE-2023-45283Nov 9, 2023
    affected < 0fixed 0

    The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,

  • CVE-2023-39325Oct 11, 2023
    affected < 0.1.4-r8fixed 0.1.4-r8

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack

  • CVE-2023-44487HigKEVOct 10, 2023
    affected < 0.1.4-r8fixed 0.1.4-r8

    The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

  • CVE-2023-3978Aug 2, 2023
    affected < 0.1.4-r8fixed 0.1.4-r8

    Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

  • CVE-2022-41723Feb 28, 2023
    affected < 0.1.4-r3fixed 0.1.4-r3

    A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

  • CVE-2021-38561Dec 26, 2022
    affected < 0.1.4-r3fixed 0.1.4-r3

    golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack.

  • CVE-2022-32149Oct 14, 2022
    affected < 0.1.4-r3fixed 0.1.4-r3

    An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

  • CVE-2022-27664Sep 6, 2022
    affected < 0.1.4-r3fixed 0.1.4-r3

    In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

  • CVE-2021-31525May 27, 2021
    affected < 0.1.4-r3fixed 0.1.4-r3

    net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

  • CVE-2021-33194May 26, 2021
    affected < 0.1.4-r3fixed 0.1.4-r3

    golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

  • CVE-2019-9512Aug 13, 2019
    affected < 0.1.4-r3fixed 0.1.4-r3

    Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consum

  • CVE-2019-9514Aug 13, 2019
    affected < 0.1.4-r3fixed 0.1.4-r3

    Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer

  • CVE-2018-17848Oct 1, 2018
    affected < 0.1.4-r3fixed 0.1.4-r3

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*insertionModeStack).pop in node.go, called from inHeadIM, during an html.Parse call.

  • CVE-2018-17847Oct 1, 2018
    affected < 0.1.4-r3fixed 0.1.4-r3

    The html package (aka x/net/html) through 2018-09-25 in Go mishandles , leading to a "panic: runtime error" (index out of range) in (*nodeStack).pop in node.go, called from (*parser).clearActiveFormattingElements, during an html.Parse call.

Page 4 of 4