apk package
wolfi/zarf
pkg:apk/wolfi/zarf
Vulnerabilities (102)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4660 | Hig | 7.5 | < 0.74.2-r3 | 0.74.2-r3 | Apr 9, 2026 | HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branc | |
| CVE-2026-39883 | Hig | 7.0 | < 0.74.2-r2 | 0.74.2-r2 | Apr 8, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf | |
| CVE-2026-33817 | — | < 0 | 0 | Apr 6, 2026 | Rejected reason: CVE confirmed to be a false positive | ||
| CVE-2026-34986 | Hig | 7.5 | < 0.74.1-r1 | 0.74.1-r1 | Apr 6, 2026 | Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW | |
| CVE-2026-34165 | Med | 5.0 | < 0.74.0-r2 | 0.74.0-r2 | Mar 31, 2026 | go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re | |
| CVE-2026-33762 | Low | 2.8 | < 0.74.0-r2 | 0.74.0-r2 | Mar 31, 2026 | go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t | |
| CVE-2026-34040 | Hig | 8.8 | < 0.74.1-r0 | 0.74.1-r0 | Mar 31, 2026 | Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1. | |
| CVE-2026-33997 | Med | 6.8 | < 0.74.1-r0 | 0.74.1-r0 | Mar 31, 2026 | Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre | |
| CVE-2026-33481 | Med | 5.3 | < 0.74.0-r1 | 0.74.0-r1 | Mar 26, 2026 | Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syf | |
| CVE-2026-33186 | Cri | 9.1 | < 0.74.0-r0 | 0.74.0-r0 | Mar 20, 2026 | gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi | |
| CVE-2026-27142 | Med | 6.1 | < 0.73.1-r3 | 0.73.1-r3 | Mar 6, 2026 | Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap | |
| CVE-2026-27139 | Low | 2.5 | < 0.73.1-r3 | 0.73.1-r3 | Mar 6, 2026 | On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary | |
| CVE-2026-25679 | Hig | 7.5 | < 0.73.1-r3 | 0.73.1-r3 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2026-27141 | Hig | 7.5 | < 0.73.1-r1 | 0.73.1-r1 | Feb 26, 2026 | Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic | |
| CVE-2026-1229 | — | < 0.73.0-r1 | 0.73.0-r1 | Feb 24, 2026 | The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https:// | ||
| CVE-2026-25934 | — | < 0.71.1-r1 | 0.71.1-r1 | Feb 9, 2026 | go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, | ||
| CVE-2026-24051 | — | < 0.73.0-r2 | 0.73.0-r2 | Feb 2, 2026 | OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman | ||
| CVE-2026-24686 | — | < 0.70.1-r4 | 0.70.1-r4 | Jan 27, 2026 | go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4. | ||
| CVE-2026-24137 | Med | 5.8 | < 0.70.1-r4 | 0.70.1-r4 | Jan 23, 2026 | sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target na | |
| CVE-2026-24117 | — | < 0.70.1-r3 | 0.70.1-r3 | Jan 22, 2026 | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the reque |
- affected < 0.74.2-r3fixed 0.74.2-r3
HashiCorp’s go-getter library up to v1.8.5 may allow arbitrary file reads on the file system during certain git operations through a maliciously crafted URL. This vulnerability, CVE-2026-4660, is fixed in go-getter v1.8.6. This vulnerability does not affect the go-getter/v2 branc
- affected < 0.74.2-r2fixed 0.74.2-r2
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platf
- CVE-2026-33817Apr 6, 2026affected < 0fixed 0
Rejected reason: CVE confirmed to be a false positive
- affected < 0.74.1-r1fixed 0.74.1-r1
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JW
- affected < 0.74.0-r2fixed 0.74.0-r2
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and re
- affected < 0.74.0-r2fixed 0.74.0-r2
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can t
- affected < 0.74.1-r0fixed 0.74.1-r0
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
- affected < 0.74.1-r0fixed 0.74.1-r0
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorre
- affected < 0.74.0-r1fixed 0.74.0-r1
Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syf
- affected < 0.74.0-r0fixed 0.74.0-r0
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omi
- affected < 0.73.1-r3fixed 0.73.1-r3
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
- affected < 0.73.1-r3fixed 0.73.1-r3
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
- affected < 0.73.1-r3fixed 0.73.1-r3
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 0.73.1-r1fixed 0.73.1-r1
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
- CVE-2026-1229Feb 24, 2026affected < 0.73.0-r1fixed 0.73.0-r1
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://
- CVE-2026-25934Feb 9, 2026affected < 0.71.1-r1fixed 0.71.1-r1
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files,
- CVE-2026-24051Feb 2, 2026affected < 0.73.0-r2fixed 0.73.0-r2
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system comman
- CVE-2026-24686Jan 27, 2026affected < 0.70.1-r4fixed 0.70.1-r4
go-tuf is a Go implementation of The Update Framework (TUF). go-tuf's TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.
- affected < 0.70.1-r4fixed 0.70.1-r4
sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target na
- CVE-2026-24117Jan 22, 2026affected < 0.70.1-r3fixed 0.70.1-r3
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the reque
Page 2 of 6