Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

nats-2.10.9-alpine_linux_amd64

digestsha256:79bfb095a2a29075819ebbd21420337f409d7d58d4230129318b612f0ec84c92
vulnerabilitiescritical: 2 high: 7 medium: 6 low: 0 unspecified: 8
size9.5 MB
packages32
critical: 1 high: 6 medium: 1 low: 0 unspecified: 5stdlib 1.21.6 (golang)

pkg:golang/stdlib@1.21.6
critical : CVE--2024--24790

Affected range<1.21.11
Fixed version1.21.11
EPSS Score0.06%
EPSS Percentile28th percentile
Description

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile16th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile16th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range<1.21.12
Fixed version1.21.12
EPSS Score0.04%
EPSS Percentile16th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2024--24784

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

high : CVE--2023--45288

Affected range<1.21.9
Fixed version1.21.9
EPSS Score0.04%
EPSS Percentile14th percentile
Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.

Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.

This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

The fix sets a limit on the amount of excess header frames we will process before closing a connection.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile56th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

medium : CVE--2024--24789

Affected range<1.21.11
Fixed version1.21.11
EPSS Score0.04%
EPSS Percentile11th percentile
Description

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

unspecified : CVE--2024--34155

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile16th percentile
Description

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

unspecified : CVE--2024--24785

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

unspecified : CVE--2024--24783

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic.

This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

unspecified : CVE--2023--45290

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion.

With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.

unspecified : CVE--2023--45289

Affected range<1.21.8
Fixed version1.21.8
EPSS Score0.04%
EPSS Percentile11th percentile
Description

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not.

A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

critical: 1 high: 1 medium: 1 low: 0 unspecified: 3openssl 3.1.4-r5 (apk)

pkg:apk/alpine/openssl@3.1.4-r5?os_name=alpine&os_version=3.19
critical : CVE--2024--5535

Affected range<3.1.6-r0
Fixed version3.1.6-r0
EPSS Score0.04%
EPSS Percentile14th percentile
Description

high : CVE--2024--6119

Affected range<3.1.7-r0
Fixed version3.1.7-r0
EPSS Score0.04%
EPSS Percentile16th percentile
Description

medium : CVE--2024--4603

Affected range<3.1.5-r0
Fixed version3.1.5-r0
EPSS Score0.04%
EPSS Percentile16th percentile
Description

unspecified : CVE--2024--9143

Affected range<3.1.7-r1
Fixed version3.1.7-r1
EPSS Score0.04%
EPSS Percentile11th percentile
Description

unspecified : CVE--2024--4741

Affected range<3.1.6-r0
Fixed version3.1.6-r0
Description

unspecified : CVE--2024--2511

Affected range<3.1.4-r6
Fixed version3.1.4-r6
EPSS Score0.04%
EPSS Percentile16th percentile
Description
critical: 0 high: 0 medium: 4 low: 0 busybox 1.36.1-r15 (apk)

pkg:apk/alpine/busybox@1.36.1-r15?os_name=alpine&os_version=3.19
medium : CVE--2023--42366

Affected range<1.36.1-r16
Fixed version1.36.1-r16
EPSS Score0.04%
EPSS Percentile14th percentile
Description

medium : CVE--2023--42365

Affected range<1.36.1-r19
Fixed version1.36.1-r19
EPSS Score0.04%
EPSS Percentile14th percentile
Description

medium : CVE--2023--42364

Affected range<1.36.1-r19
Fixed version1.36.1-r19
EPSS Score0.04%
EPSS Percentile14th percentile
Description

medium : CVE--2023--42363

Affected range<1.36.1-r17
Fixed version1.36.1-r17
EPSS Score0.04%
EPSS Percentile14th percentile
Description