apk package
wolfi/kubernetes-csi-external-resizer
pkg:apk/wolfi/kubernetes-csi-external-resizer
Vulnerabilities (47)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68119 | — | < 2.0.0-r3 | 2.0.0-r3 | Jan 28, 2026 | Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are | ||
| CVE-2025-61727 | — | < 2.0.0-r2 | 2.0.0-r2 | Dec 3, 2025 | An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | ||
| CVE-2025-61729 | — | < 2.0.0-r2 | 2.0.0-r2 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-47914 | — | < 2.0.0-r1 | 2.0.0-r1 | Nov 19, 2025 | SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read. | ||
| CVE-2025-58181 | — | < 2.0.0-r1 | 2.0.0-r1 | Nov 19, 2025 | SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption. | ||
| CVE-2025-47907 | — | < 0 | 0 | Aug 7, 2025 | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex | ||
| CVE-2025-22872 | Med | 6.5 | < 1.13.2-r4 | 1.13.2-r4 | Apr 16, 2025 | The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul | |
| CVE-2025-22871 | Cri | 9.1 | < 1.13.2-r3 | 1.13.2-r3 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2025-22870 | Med | 4.4 | < 1.13.2-r2 | 1.13.2-r2 | Mar 12, 2025 | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. | |
| CVE-2025-22868 | — | < 1.13.2-r1 | 1.13.2-r1 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22866 | Med | 4.0 | < 1.13.1-r2 | 1.13.1-r2 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover | |
| CVE-2024-45341 | Med | 6.1 | < 1.13.1-r1 | 1.13.1-r1 | Jan 28, 2025 | A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. | |
| CVE-2024-45336 | Med | 6.1 | < 1.13.1-r1 | 1.13.1-r1 | Jan 28, 2025 | The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re | |
| CVE-2024-45338 | Med | 5.3 | < 1.12.0-r1 | 1.12.0-r1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2023-45288 | Hig | 7.5 | < 1.13.2-r2 | 1.13.2-r2 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2024-24786 | Hig | 7.5 | < 1.10.0-r3 | 1.10.0-r3 | Mar 5, 2024 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | |
| CVE-2024-24785 | Med | 5.4 | < 1.10.0-r2 | 1.10.0-r2 | Mar 5, 2024 | If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. | |
| CVE-2024-24784 | Hig | 7.5 | < 1.10.0-r2 | 1.10.0-r2 | Mar 5, 2024 | The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. | |
| CVE-2024-24783 | Med | 5.9 | < 1.10.0-r2 | 1.10.0-r2 | Mar 5, 2024 | Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul | |
| CVE-2023-45290 | Med | 6.5 | < 1.10.0-r2 | 1.10.0-r2 | Mar 5, 2024 | When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line |
- CVE-2025-68119Jan 28, 2026affected < 2.0.0-r3fixed 2.0.0-r3
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are
- CVE-2025-61727Dec 3, 2025affected < 2.0.0-r2fixed 2.0.0-r2
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
- CVE-2025-61729Dec 2, 2025affected < 2.0.0-r2fixed 2.0.0-r2
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- CVE-2025-47914Nov 19, 2025affected < 2.0.0-r1fixed 2.0.0-r1
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read.
- CVE-2025-58181Nov 19, 2025affected < 2.0.0-r1fixed 2.0.0-r1
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.
- CVE-2025-47907Aug 7, 2025affected < 0fixed 0
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the ex
- affected < 1.13.2-r4fixed 1.13.2-r4
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can resul
- affected < 1.13.2-r3fixed 1.13.2-r3
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 1.13.2-r2fixed 1.13.2-r2
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- CVE-2025-22868Feb 26, 2025affected < 1.13.2-r1fixed 1.13.2-r1
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- affected < 1.13.1-r2fixed 1.13.1-r2
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
- affected < 1.13.1-r1fixed 1.13.1-r1
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
- affected < 1.13.1-r1fixed 1.13.1-r1
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
- affected < 1.12.0-r1fixed 1.12.0-r1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 1.13.2-r2fixed 1.13.2-r2
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- affected < 1.10.0-r3fixed 1.10.0-r3
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
- affected < 1.10.0-r2fixed 1.10.0-r2
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
- affected < 1.10.0-r2fixed 1.10.0-r2
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
- affected < 1.10.0-r2fixed 1.10.0-r2
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul
- affected < 1.10.0-r2fixed 1.10.0-r2
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line
Page 2 of 3