Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

kube-webhook-certgen-0.0.4_linux_amd64

digestsha256:321e434a68754a8449e0b856f0fc5d1f7012933c9ea00a2268b2333ba0e41f3c
vulnerabilitiescritical: 0 high: 3 medium: 1 low: 0
size11 MB
packages48
critical: 0 high: 2 medium: 0 low: 0 golang.org/x/net 0.0.0-20220722155237-a158d28d115b (golang)

pkg:golang/golang.org/x/net@0.0.0-20220722155237-a158d28d115b
high 7.5: CVE--2022--41721 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Affected range
>=0.0.0-20220524220425-1d687d428aca
<0.1.1-0.20221104162952-702349b0e862
Fixed version0.1.1-0.20221104162952-702349b0e862
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.17%
EPSS Percentile56th percentile
Description

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Specific Go Packages Affected

golang.org/x/net/http2/h2c

high 7.5: CVE--2022--27664

Affected range<0.0.0-20220906165146-f3363e06e74c
Fixed version0.0.0-20220906165146-f3363e06e74c
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.24%
EPSS Percentile63rd percentile
Description

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

critical: 0 high: 1 medium: 0 low: 0 golang.org/x/text 0.3.7 (golang)

pkg:golang/golang.org/x/text@0.3.7
high 7.5: CVE--2022--32149 Missing Release of Resource after Effective Lifetime

Affected range<0.3.8
Fixed version0.3.8
CVSS Score7.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score0.24%
EPSS Percentile63rd percentile
Description

The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.

Specific Go Packages Affected

golang.org/x/text/language

critical: 0 high: 0 medium: 1 low: 0 google.golang.org/protobuf 1.28.0 (golang)

pkg:golang/google.golang.org/protobuf@1.28.0
medium 7.5: CVE--2024--24786 Loop with Unreachable Exit Condition ('Infinite Loop')

Affected range<1.33.0
Fixed version1.33.0
CVSS Score7.5
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.