testkube-api-server-2.1.164_linux_amd64

digest	sha256:5e6a8601002976805134ee9b976bf136de8d6d407495a872eb3fde7cf370028c
vulnerabilities
platform	linux/amd64
size	70 MB
packages	238

git 2.45.3-r0 (apk) pkg:apk/alpine/git@2.45.3-r0?arch=x86_64&distro=alpine-3.20.6 # api-server.Dockerfile (34:34) RUN apk --no-cache add ca-certificates libssl3 git Affected range <2.45.4-r0 Fixed version 2.45.4-r0 EPSS Score 0.102% EPSS Percentile 29th percentile Description Affected range <2.45.4-r0 Fixed version 2.45.4-r0 EPSS Score 0.021% EPSS Percentile 4th percentile Description Affected range <2.45.4-r0 Fixed version 2.45.4-r0 EPSS Score 0.022% EPSS Percentile 4th percentile Description Affected range <2.45.4-r0 Fixed version 2.45.4-r0 EPSS Score 0.022% EPSS Percentile 4th percentile Description Affected range <2.45.4-r0 Fixed version 2.45.4-r0 EPSS Score 0.016% EPSS Percentile 2nd percentile Description Affected range <2.45.4-r0 Fixed version 2.45.4-r0 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Affected range <2.45.4-r0 Fixed version 2.45.4-r0 EPSS Score 0.019% EPSS Percentile 3rd percentile Description

github.com/golang-jwt/jwt/v4 4.5.0 (golang) pkg:golang/github.com/golang-jwt/jwt@4.5.0#v4 # api-server.Dockerfile (36:36) COPY --from=build /app /bin/app Asymmetric Resource Consumption (Amplification) Affected range <4.5.2 Fixed version 4.5.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.033% EPSS Percentile 8th percentile Description Summary Function parse.ParseUnverified currently splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. Relevant weakness: CWE-405: Asymmetric Resource Consumption (Amplification) Details See parse.ParseUnverified Impact Excessive memory allocation Improper Verification of Cryptographic Signature Affected range <4.5.1 Fixed version 4.5.1 CVSS Score 2.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N EPSS Score 0.019% EPSS Percentile 3rd percentile Description Summary Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens. Fix We have back-ported the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. Workaround We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above. token, err := /* jwt.Parse or similar */ if token.Valid { fmt.Println("You look nice today") } else if errors.Is(err, jwt.ErrTokenMalformed) { fmt.Println("That's not even a token") } else if errors.Is(err, jwt.ErrTokenUnverifiable) { fmt.Println("We could not verify this token") } else if errors.Is(err, jwt.ErrTokenSignatureInvalid) { fmt.Println("This token has an invalid signature") } else if errors.Is(err, jwt.ErrTokenExpired) || errors.Is(err, jwt.ErrTokenNotValidYet) { // Token is either expired or not active yet fmt.Println("Timing is everything") } else { fmt.Println("Couldn't handle this token:", err) }

gopkg.in/square/go-jose.v2 2.6.0 (golang) pkg:golang/gopkg.in/square/go-jose.v2@2.6.0 # api-server.Dockerfile (36:36) COPY --from=build /app /bin/app Improper Handling of Highly Compressed Data (Data Amplification) Affected range <=2.6.0 Fixed version Not Fixed CVSS Score 4.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.254% EPSS Percentile 49th percentile Description Impact An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting. Patches The problem is fixed in the following packages and versions: github.com/go-jose/go-jose/v4 version 4.0.1 github.com/go-jose/go-jose/v3 version 3.0.3 gopkg.in/go-jose/go-jose.v2 version 2.6.3 The problem will not be fixed in the following package because the package is archived: gopkg.in/square/go-jose.v2

github.com/vektah/gqlparser/v2 2.5.2-0.20230422221642-25e09f9d292d (golang) pkg:golang/github.com/vektah/gqlparser@2.5.2-0.20230422221642-25e09f9d292d#v2 # api-server.Dockerfile (36:36) COPY --from=build /app /bin/app Uncontrolled Resource Consumption Affected range <2.5.14 Fixed version 2.5.14 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L EPSS Score 0.116% EPSS Percentile 31st percentile Description An issue in vektah gqlparser open-source-library v.2.5.10 allows a remote attacker to cause a denial of service via a crafted script to the parserDirectives function.