VYPR

apk package

wolfi/kube-logging-operator-config-reloader

pkg:apk/wolfi/kube-logging-operator-config-reloader

Vulnerabilities (40)

  • CVE-2025-61726Jan 28, 2026
    affected < 0fixed 0

    The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la

  • CVE-2025-61730Jan 28, 2026
    affected < 6.3.2-r1fixed 6.3.2-r1

    During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor i

  • CVE-2025-61731Jan 28, 2026
    affected < 6.3.2-r1fixed 6.3.2-r1

    Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can

  • CVE-2025-68119Jan 28, 2026
    affected < 6.3.2-r1fixed 6.3.2-r1

    Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are

  • CVE-2025-61729Dec 2, 2025
    affected < 6.2.1-r1fixed 6.2.1-r1

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a

  • CVE-2025-58187Oct 29, 2025
    affected < 6.1.0-r1fixed 6.1.0-r1

    Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

  • CVE-2025-47910MedSep 22, 2025
    affected < 6.0.3-r1fixed 6.0.3-r1

    When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended sec

  • CVE-2025-47907Aug 7, 2025
    affected < 6.0.2-r1fixed 6.0.2-r1

    Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex

  • CVE-2025-22872MedApr 16, 2025
    affected < 5.2.0-r2fixed 5.2.0-r2

    The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul

  • CVE-2025-22871CriApr 8, 2025
    affected < 5.2.0-r1fixed 5.2.0-r1

    The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

  • CVE-2025-22868Feb 26, 2025
    affected < 5.2.0-r0fixed 5.2.0-r0

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2024-45338MedDec 18, 2024
    affected < 5.0.1-r0fixed 5.0.1-r0

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-34158HigSep 6, 2024
    affected < 4.9.1-r1fixed 4.9.1-r1

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

  • CVE-2024-34156HigSep 6, 2024
    affected < 4.9.1-r1fixed 4.9.1-r1

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2024-34155MedSep 6, 2024
    affected < 4.9.1-r1fixed 4.9.1-r1

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

  • CVE-2024-24786HigMar 5, 2024
    affected < 4.5.6-r2fixed 4.5.6-r2

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2023-45284Nov 9, 2023
    affected < 0fixed 0

    On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now corr

  • CVE-2023-45283Nov 9, 2023
    affected < 0fixed 0

    The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example,

  • CVE-2023-39325Oct 11, 2023
    affected < 4.2.2-r5fixed 4.2.2-r5

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack

  • CVE-2023-3978Aug 2, 2023
    affected < 4.2.2-r5fixed 4.2.2-r5

    Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

Page 2 of 2