VYPR

apk package

wolfi/sigstore-scaffolding-getoidctoken

pkg:apk/wolfi/sigstore-scaffolding-getoidctoken

Vulnerabilities (52)

  • CVE-2026-42507MedJun 2, 2026
    affected < 0.7.31-r16fixed 0.7.31-r16

    When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

  • CVE-2026-42504HigJun 2, 2026
    affected < 0fixed 0

    Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

  • CVE-2026-27145MedJun 2, 2026
    affected < 0.7.31-r16fixed 0.7.31-r16

    (*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratic

  • CVE-2026-33810HigApr 8, 2026
    affected < 0.7.31-r11fixed 0.7.31-r11

    When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in th

  • CVE-2026-32289MedApr 8, 2026
    affected < 0fixed 0

    Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect es

  • CVE-2026-32288MedApr 8, 2026
    affected < 0fixed 0

    tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

  • CVE-2026-32283HigApr 8, 2026
    affected < 0.7.31-r11fixed 0.7.31-r11

    If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3.

  • CVE-2026-32282MedApr 8, 2026
    affected < 0fixed 0

    On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which R

  • CVE-2026-32281HigApr 8, 2026
    affected < 0.7.31-r11fixed 0.7.31-r11

    Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root C

  • CVE-2026-32280HigApr 8, 2026
    affected < 0.7.31-r11fixed 0.7.31-r11

    During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls

  • CVE-2026-27140HigApr 8, 2026
    affected < 0.7.31-r11fixed 0.7.31-r11

    SWIG file names containing 'cgo' and well-crafted payloads could lead to code smuggling and arbitrary code execution at build time due to trust layer bypass.

  • CVE-2025-66564HigDec 4, 2025
    affected < 0.7.31-r3fixed 0.7.31-r3

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits t

  • CVE-2025-66506HigDec 4, 2025
    affected < 0.7.31-r3fixed 0.7.31-r3

    Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in th

  • CVE-2025-61729HigDec 2, 2025
    affected < 0.7.31-r2fixed 0.7.31-r2

    Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a

  • CVE-2025-61725HigOct 29, 2025
    affected < 0.7.25-r1fixed 0.7.25-r1

    The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

  • CVE-2025-61724MedOct 29, 2025
    affected < 0.7.25-r1fixed 0.7.25-r1

    The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

  • CVE-2025-61723HigOct 29, 2025
    affected < 0.7.25-r1fixed 0.7.25-r1

    The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs.

  • CVE-2025-58189MedOct 29, 2025
    affected < 0.7.25-r1fixed 0.7.25-r1

    When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

  • CVE-2025-58188HigOct 29, 2025
    affected < 0.7.25-r1fixed 0.7.25-r1

    Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.

  • CVE-2025-58187HigOct 29, 2025
    affected < 0.7.25-r1fixed 0.7.25-r1

    Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

Page 1 of 3