VYPR

apk package

wolfi/wolfictl

pkg:apk/wolfi/wolfictl

Vulnerabilities (84)

  • CVE-2025-27144MedFeb 24, 2025
    affected < 0.29.4-r2fixed 0.29.4-r2

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2025-22866MedFeb 6, 2025
    affected < 0.28.1-r0fixed 0.28.1-r0

    Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover

  • CVE-2025-21614Jan 6, 2025
    affected < 0.27.5-r0fixed 0.27.5-r0

    go-git is a highly extensible git implementation library written in pure Go. A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted respons

  • CVE-2025-21613Jan 6, 2025
    affected < 0.27.5-r0fixed 0.27.5-r0

    go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flag

  • CVE-2024-45338MedDec 18, 2024
    affected < 0.27.2-r1fixed 0.27.2-r1

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-45337CriDec 12, 2024
    affected < 0.27.1-r0fixed 0.27.1-r0

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

  • CVE-2024-53859Nov 27, 2024
    affected < 0.26.0-r1fixed 0.26.0-r1

    go-gh is a Go module for interacting with the `gh` utility and the GitHub API from the command line. A security vulnerability has been identified in `go-gh` that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. `go-gh` source

  • CVE-2024-47534HigOct 1, 2024
    affected < 0.38.21-r0fixed 0.38.21-r0

    go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but

  • CVE-2024-41110CriJul 24, 2024
    affected < 0.21.0-r1fixed 0.21.0-r1

    Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood

  • CVE-2024-24791HigJul 2, 2024
    affected < 0.19.2-r1fixed 0.19.2-r1

    The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co

  • CVE-2024-6257Jun 25, 2024
    affected < 0.19.0-r1fixed 0.19.0-r1

    HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution.

  • CVE-2024-24789Jun 5, 2024
    affected < 0.16.15-r1fixed 0.16.15-r1

    The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac

  • CVE-2024-24790Jun 5, 2024
    affected < 0.16.15-r1fixed 0.16.15-r1

    The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

  • CVE-2024-3154HigApr 26, 2024
    affected < 0.16.6-r1fixed 0.16.6-r1

    A flaw was found in cri-o, where an arbitrary systemd property can be injected via a Pod annotation. Any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

  • CVE-2024-32473Apr 18, 2024
    affected < 0.15.19-r1fixed 0.15.19-r1

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An con

  • CVE-2024-29903Apr 10, 2024
    affected < 0.15.18-r1fixed 0.15.18-r1

    Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates

  • CVE-2024-29902Apr 10, 2024
    affected < 0.15.18-r1fixed 0.15.18-r1

    Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory a

  • CVE-2024-0406Apr 6, 2024
    affected < 0.16.6-r1fixed 0.16.6-r1

    A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or applic

  • CVE-2024-29018Mar 20, 2024
    affected < 0.15.7-r1fixed 0.15.7-r1

    Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be define

  • CVE-2024-28180Mar 9, 2024
    affected < 0.15.3-r3fixed 0.15.3-r3

    Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now ret

Page 4 of 5