VYPR

apk package

wolfi/zot

pkg:apk/wolfi/zot

Vulnerabilities (156)

  • CVE-2019-25210Mar 3, 2024
    affected < 0fixed 0

    An issue was discovered in Cloud Native Computing Foundation (CNCF) Helm through 3.13.3. It displays values of secrets when the --dry-run flag is used. This is a security concern in some use cases, such as a --dry-run call by a CI/CD tool. NOTE: the vendor's position is that this

  • CVE-2024-26147Feb 21, 2024
    affected < 2.0.1-r5fixed 2.0.1-r5

    Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all m

  • CVE-2024-25620Feb 14, 2024
    affected < 2.0.1-r3fixed 2.0.1-r3

    Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected direct

  • CVE-2024-24557MedFeb 1, 2024
    affected < 2.0.2-r0fixed 2.0.2-r0

    Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause

  • CVE-2024-23653CriJan 31, 2024
    affected < 2.0.1-r2fixed 2.0.1-r2

    BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use th

  • CVE-2024-23652CriJan 31, 2024
    affected < 2.0.1-r2fixed 2.0.1-r2

    BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file o

  • CVE-2024-23651HigJan 31, 2024
    affected < 2.0.1-r2fixed 2.0.1-r2

    BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host syste

  • CVE-2024-23650MedJan 31, 2024
    affected < 2.0.1-r2fixed 2.0.1-r2

    BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a

  • CVE-2024-21626HigJan 31, 2024
    affected < 2.0.1-r2fixed 2.0.1-r2

    runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the h

  • CVE-2023-49568HigJan 12, 2024
    affected < 2.0.0-r1fixed 2.0.0-r1

    A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. A

  • CVE-2023-48795MedDec 18, 2023
    affected < 2.0.0-r1fixed 2.0.0-r1

    The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end

  • CVE-2023-39325HigOct 11, 2023
    affected < 1.4.3-r9fixed 1.4.3-r9

    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack

  • CVE-2023-3978MedAug 2, 2023
    affected < 1.4.3-r9fixed 1.4.3-r9

    Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

  • CVE-2023-33959HigJun 6, 2023
    affected < 2.1.2-r7fixed 2.1.2-r7

    notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-r

  • CVE-2023-25656HigFeb 20, 2023
    affected < 2.1.2-r7fixed 2.1.2-r7

    notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus av

  • CVE-2020-8559MedJul 22, 2020
    affected < 2.1.2-r7fixed 2.1.2-r7

    The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

Page 8 of 8