rpm package
almalinux/grafana-pcp
pkg:rpm/almalinux/grafana-pcp
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25679 | Hig | 7.5 | < 5.1.1-13.el9_7 | 5.1.1-13.el9_7 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-68121 | Cri | 10.0 | < 5.3.0-2.el10_1 | 5.3.0-2.el10_1 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61726 | — | < 5.3.0-2.el10_1 | 5.3.0-2.el10_1 | Jan 28, 2026 | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la | ||
| CVE-2025-61729 | — | < 5.1.1-11.el8_10 | 5.1.1-11.el8_10 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-22871 | Cri | 9.1 | < 5.2.2-3.el10_0 | 5.2.2-3.el10_0 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2024-9355 | Med | 6.5 | < 5.1.1-9.el8_10 | 5.1.1-9.el8_10 | Oct 1, 2024 | A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co | |
| CVE-2024-34156 | Hig | 7.5 | < 5.1.1-3.el9_4 | 5.1.1-3.el9_4 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-1394 | Hig | 7.5 | < 5.1.1-2.el9_3.alma.1 | 5.1.1-2.el9_3.alma.1 | Mar 21, 2024 | A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and | |
| CVE-2022-27664 | — | < 5.1.1-1.el9 | 5.1.1-1.el9 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2022-32148 | — | < 3.2.0-2.el8 | 3.2.0-2.el8 | Aug 9, 2022 | Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the | ||
| CVE-2022-30630 | — | < 3.2.0-2.el8 | 3.2.0-2.el8 | Aug 9, 2022 | Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators. | ||
| CVE-2022-1705 | — | < 3.2.0-2.el8 | 3.2.0-2.el8 | Aug 9, 2022 | Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid. | ||
| CVE-2022-30631 | — | < 3.2.0-2.el8 | 3.2.0-2.el8 | Aug 9, 2022 | Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files. | ||
| CVE-2022-30635 | — | < 3.2.0-2.el8 | 3.2.0-2.el8 | Aug 9, 2022 | Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures. | ||
| CVE-2022-30632 | — | < 3.2.0-2.el8 | 3.2.0-2.el8 | Aug 9, 2022 | Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators. |
- affected < 5.1.1-13.el9_7fixed 5.1.1-13.el9_7
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 5.3.0-2.el10_1fixed 5.3.0-2.el10_1
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61726Jan 28, 2026affected < 5.3.0-2.el10_1fixed 5.3.0-2.el10_1
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a la
- CVE-2025-61729Dec 2, 2025affected < 5.1.1-11.el8_10fixed 5.1.1-11.el8_10
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- affected < 5.2.2-3.el10_0fixed 5.2.2-3.el10_0
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- affected < 5.1.1-9.el8_10fixed 5.1.1-9.el8_10
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when co
- affected < 5.1.1-3.el9_4fixed 5.1.1-3.el9_4
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 5.1.1-2.el9_3.alma.1fixed 5.1.1-2.el9_3.alma.1
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and
- CVE-2022-27664Sep 6, 2022affected < 5.1.1-1.el9fixed 5.1.1-1.el9
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2022-32148Aug 9, 2022affected < 3.2.0-2.el8fixed 3.2.0-2.el8
Improper exposure of client IP addresses in net/http before Go 1.17.12 and Go 1.18.4 can be triggered by calling httputil.ReverseProxy.ServeHTTP with a Request.Header map containing a nil value for the X-Forwarded-For header, which causes ReverseProxy to set the client IP as the
- CVE-2022-30630Aug 9, 2022affected < 3.2.0-2.el8fixed 3.2.0-2.el8
Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path which contains a large number of path separators.
- CVE-2022-1705Aug 9, 2022affected < 3.2.0-2.el8fixed 3.2.0-2.el8
Acceptance of some invalid Transfer-Encoding headers in the HTTP/1 client in net/http before Go 1.17.12 and Go 1.18.4 allows HTTP request smuggling if combined with an intermediate server that also improperly fails to reject the header as invalid.
- CVE-2022-30631Aug 9, 2022affected < 3.2.0-2.el8fixed 3.2.0-2.el8
Uncontrolled recursion in Reader.Read in compress/gzip before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via an archive containing a large number of concatenated 0-length compressed files.
- CVE-2022-30635Aug 9, 2022affected < 3.2.0-2.el8fixed 3.2.0-2.el8
Uncontrolled recursion in Decoder.Decode in encoding/gob before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a message which contains deeply nested structures.
- CVE-2022-30632Aug 9, 2022affected < 3.2.0-2.el8fixed 3.2.0-2.el8
Uncontrolled recursion in Glob in path/filepath before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a path containing a large number of path separators.