rpm package
almalinux/weldr-client
pkg:rpm/almalinux/weldr-client
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-22871 | Cri | 9.1 | < 35.12-4.el9_6 | 35.12-4.el9_6 | Apr 8, 2025 | The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext. | |
| CVE-2022-41717 | — | < 35.9-1.el9 | 35.9-1.el9 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-41715 | — | < 35.9-1.el9 | 35.9-1.el9 | Oct 14, 2022 | Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm | ||
| CVE-2022-2880 | — | < 35.9-1.el9 | 35.9-1.el9 | Oct 14, 2022 | Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s | ||
| CVE-2022-2879 | — | < 35.9-1.el9 | 35.9-1.el9 | Oct 14, 2022 | Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi | ||
| CVE-2022-27664 | — | < 35.9-1.el9 | 35.9-1.el9 | Sep 6, 2022 | In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||
| CVE-2022-32189 | — | < 35.5-4.el8 | 35.5-4.el8 | Aug 9, 2022 | A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service. |
- affected < 35.12-4.el9_6fixed 35.12-4.el9_6
The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
- CVE-2022-41717Dec 8, 2022affected < 35.9-1.el9fixed 35.9-1.el9
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-41715Oct 14, 2022affected < 35.9-1.el9fixed 35.9-1.el9
Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively sm
- CVE-2022-2880Oct 14, 2022affected < 35.9-1.el9fixed 35.9-1.el9
Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy s
- CVE-2022-2879Oct 14, 2022affected < 35.9-1.el9fixed 35.9-1.el9
Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 Mi
- CVE-2022-27664Sep 6, 2022affected < 35.9-1.el9fixed 35.9-1.el9
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
- CVE-2022-32189Aug 9, 2022affected < 35.5-4.el8fixed 35.5-4.el8
A too-short encoded message can cause a panic in Float.GobDecode and Rat GobDecode in math/big in Go before 1.17.13 and 1.18.5, potentially allowing a denial of service.