apk package
wolfi/k3d-proxy
pkg:apk/wolfi/k3d-proxy
Vulnerabilities (150)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-43565 | Hig | 7.5 | < 5.6.0-r11 | 5.6.0-r11 | Sep 6, 2022 | The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. | |
| CVE-2022-29526 | Med | 5.3 | < 5.6.0-r11 | 5.6.0-r11 | Jun 23, 2022 | Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible. | |
| CVE-2022-29153 | Hig | 7.5 | < 5.6.0-r11 | 5.6.0-r11 | Apr 19, 2022 | HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5. | |
| CVE-2022-27191 | Hig | 7.5 | < 5.6.0-r11 | 5.6.0-r11 | Mar 18, 2022 | The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. | |
| CVE-2021-41802 | Low | 2.9 | < 5.6.0-r11 | 5.6.0-r11 | Oct 8, 2021 | HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8. | |
| CVE-2021-38698 | Med | 6.5 | < 5.6.0-r11 | 5.6.0-r11 | Sep 7, 2021 | HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2. | |
| CVE-2021-37219 | Hig | 8.8 | < 5.6.0-r11 | 5.6.0-r11 | Sep 7, 2021 | HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2. | |
| CVE-2021-38554 | Med | 5.3 | < 5.6.0-r11 | 5.6.0-r11 | Aug 13, 2021 | HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases. | |
| CVE-2021-36213 | Hig | 7.5 | < 5.6.0-r11 | 5.6.0-r11 | Jul 17, 2021 | HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1. | |
| CVE-2021-32574 | Hig | 7.5 | < 5.6.0-r11 | 5.6.0-r11 | Jul 17, 2021 | HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1. | |
| CVE-2021-32923 | Hig | 7.4 | < 5.6.0-r11 | 5.6.0-r11 | Jun 3, 2021 | HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5, | |
| CVE-2021-31525 | Med | 5.9 | < 5.6.0-r11 | 5.6.0-r11 | May 27, 2021 | net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations. | |
| CVE-2021-33194 | Hig | 7.5 | < 5.6.0-r11 | 5.6.0-r11 | May 26, 2021 | golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input. | |
| CVE-2020-25864 | Med | 6.1 | < 5.6.0-r11 | 5.6.0-r11 | Apr 20, 2021 | HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14. | |
| CVE-2021-3121 | Hig | 8.6 | < 5.6.0-r11 | 5.6.0-r11 | Jan 11, 2021 | An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. | |
| CVE-2020-29652 | Hig | 7.5 | < 5.6.0-r11 | 5.6.0-r11 | Dec 17, 2020 | A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. | |
| CVE-2020-16250 | Hig | 8.2 | < 5.6.0-r11 | 5.6.0-r11 | Aug 26, 2020 | HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1.. | |
| CVE-2020-8912 | Low | 2.5 | < 5.6.0-r11 | 5.6.0-r11 | Aug 11, 2020 | A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES- | |
| CVE-2020-8911 | Med | 5.6 | < 5.6.0-r11 | 5.6.0-r11 | Aug 11, 2020 | A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket a | |
| CVE-2020-14040 | Hig | 7.5 | < 5.6.0-r11 | 5.6.0-r11 | Jun 17, 2020 | The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM o |
- affected < 5.6.0-r11fixed 5.6.0-r11
The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
- affected < 5.6.0-r11fixed 5.6.0-r11
Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.
- affected < 5.6.0-r11fixed 5.6.0-r11
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,
- affected < 5.6.0-r11fixed 5.6.0-r11
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
- affected < 5.6.0-r11fixed 5.6.0-r11
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.
- affected < 5.6.0-r11fixed 5.6.0-r11
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
- affected < 5.6.0-r11fixed 5.6.0-r11
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
- affected < 5.6.0-r11fixed 5.6.0-r11
HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..
- affected < 5.6.0-r11fixed 5.6.0-r11
A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-
- affected < 5.6.0-r11fixed 5.6.0-r11
A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket a
- affected < 5.6.0-r11fixed 5.6.0-r11
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM o
Page 7 of 8