VYPR

apk package

wolfi/k3d-tools

pkg:apk/wolfi/k3d-tools

Vulnerabilities (132)

  • CVE-2022-40716Sep 23, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13.1 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. Fixed in 1.11.9, 1.12.5, and 1.13.2."

  • CVE-2022-27664Sep 6, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

  • CVE-2021-43565Sep 6, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.

  • CVE-2022-29526Jun 22, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

  • CVE-2022-29153Apr 19, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise up to 1.9.16, 1.10.9, and 1.11.4 may allow server side request forgery when the Consul client agent follows redirects returned by HTTP health check endpoints. Fixed in 1.9.17, 1.10.10, and 1.11.5.

  • CVE-2022-27191Mar 18, 2022
    affected < 5.6.0-r11fixed 5.6.0-r11

    The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

  • CVE-2021-41802Oct 8, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a user with write permission to an entity alias ID sharing a mount accessor with another user to acquire this other user’s policies by merging their identities. Fixed in Vault and Vault Enterprise 1.7.5 and 1.8.

  • CVE-2021-38698Sep 7, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. Fixed in 1.8.15, 1.9.9 and 1.10.2.

  • CVE-2021-37219Sep 7, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer allows non-server agents with a valid certificate signed by the same CA to access server-only functionality, enabling privilege escalation. Fixed in 1.8.15, 1.9.9 and 1.10.2.

  • CVE-2021-38554Aug 13, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Vault and Vault Enterprise’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.

  • CVE-2021-36213Jul 17, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise 1.9.0 through 1.10.0 default deny policy with a single L7 application-aware intention deny action cancels out, causing the intention to incorrectly fail open, allowing L4 traffic. Fixed in 1.9.8 and 1.10.1.

  • CVE-2021-32574Jul 17, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise 1.3.0 through 1.10.0 Envoy proxy TLS configuration does not validate destination service identity in the encoded subject alternative name. Fixed in 1.8.14, 1.9.8, and 1.10.1.

  • CVE-2021-32923Jun 3, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Vault and Vault Enterprise allowed the renewal of nearly-expired token leases and dynamic secret leases (specifically, those within 1 second of their maximum TTL), which caused them to be incorrectly treated as non-expiring during subsequent use. Fixed in 1.5.9, 1.6.5,

  • CVE-2021-31525May 27, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

  • CVE-2021-33194May 26, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

  • CVE-2020-25864Apr 20, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value (KV) raw mode was vulnerable to cross-site scripting. Fixed in 1.9.5, 1.8.10 and 1.7.14.

  • CVE-2021-3121Jan 11, 2021
    affected < 5.6.0-r11fixed 5.6.0-r11

    An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.

  • CVE-2020-29652Dec 17, 2020
    affected < 5.6.0-r11fixed 5.6.0-r11

    A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.

  • CVE-2020-16250Aug 26, 2020
    affected < 5.6.0-r11fixed 5.6.0-r11

    HashiCorp Vault and Vault Enterprise versions 0.7.1 and newer, when configured with the AWS IAM auth method, may be vulnerable to authentication bypass. Fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1..

  • CVE-2020-8912Aug 11, 2020
    affected < 5.6.0-r11fixed 5.6.0-r11

    A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-

Page 6 of 7