testkube-api-server-2.6.0_linux_amd64

digest	`sha256:b9f3f4861936a45ef7c5c0c3f06ee42dd6aa2badb4dd64177b5789bc5bdf2781`
vulnerabilities
platform	linux/amd64
size	70 MB
packages	252

libssl3 3.3.5-r0 (apk)

pkg:apk/alpine/libssl3@3.3.5-r0?arch=x86_64&distro=alpine-3.20.8&upstream=openssl

# api-server.Dockerfile (33:33)
FROM ${ALPINE_IMAGE}

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.662%`
EPSS Percentile	`71st percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.059%`
EPSS Percentile	`19th percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.070%`
EPSS Percentile	`21st percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.056%`
EPSS Percentile	`18th percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.059%`
EPSS Percentile	`18th percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.048%`
EPSS Percentile	`15th percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.070%`
EPSS Percentile	`22nd percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

Affected range	`<3.3.6-r0`
Fixed version	`3.3.6-r0`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

c-ares 1.33.1-r0 (apk)

pkg:apk/alpine/c-ares@1.33.1-r0?arch=x86_64&distro=alpine-3.20.8

# api-server.Dockerfile (34:34)
RUN apk --no-cache add ca-certificates libssl3 git

Affected range	`<=1.33.1-r0`
Fixed version	Not Fixed
EPSS Score	`0.618%`
EPSS Percentile	`69th percentile`

Description

Affected range	`<=1.33.1-r0`
Fixed version	Not Fixed
EPSS Score	`0.060%`
EPSS Percentile	`19th percentile`

Description

github.com/gofiber/fiber/v2 2.52.5 (golang)

pkg:golang/github.com/gofiber/fiber/v2@2.52.5

# api-server.Dockerfile (36:36)
COPY --from=build /app /bin/app

Memory Allocation with Excessive Size Value

Affected range	`<=2.52.8`
Fixed version	`2.52.9`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.065%`
EPSS Percentile	`20th percentile`

Description

Description

When using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.

The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.

Steps to Reproduce

Create a POST request handler that accepts x-www-form-urlencoded data
package main

import (
	"fmt"
	"net/http"

	"github.com/gofiber/fiber/v2"
)

type RequestBody struct {
	NestedContent []*struct{} `form:"test"`
}

func main() {
	app := fiber.New()

	app.Post("/", func(c *fiber.Ctx) error {
		formData := RequestBody{}
		if err := c.BodyParser(&formData); err != nil {
			fmt.Println(err)
			return c.SendStatus(http.StatusUnprocessableEntity)
		}
		return nil
	})

	fmt.Println(app.Listen(":3000"))
}
Run the server and send a POST request with a large numeric key in form data, such as:
curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \
  -H 'Content-Type: application/x-www-form-urlencoded'
Relevant Code Snippet

Within the decoder's decode method:
idx := parts[0].index
if v.IsNil() || v.Len() < idx+1 {
    value := reflect.MakeSlice(t, idx+1, idx+1)  // <-- Panic/crash occurs here when idx is huge
    if v.Len() < idx+1 {
        reflect.Copy(value, v)
    }
    v.Set(value)
}
The idx is not validated before use, leading to unsafe slice allocation for extremely large values.

Impact

Application panic or crash on malicious or malformed input.

Potential denial of service (DoS) via memory exhaustion or server crash.

Lack of defensive checks in the parsing code causes instability.

libcurl 8.14.1-r2 (apk)

pkg:apk/alpine/libcurl@8.14.1-r2?arch=x86_64&distro=alpine-3.20.8&upstream=curl

# api-server.Dockerfile (34:34)
RUN apk --no-cache add ca-certificates libssl3 git

Affected range	`<=8.14.1-r2`
Fixed version	Not Fixed
EPSS Score	`0.007%`
EPSS Percentile	`0th percentile`

Description

Affected range	`<=8.14.1-r2`
Fixed version	Not Fixed
EPSS Score	`0.019%`
EPSS Percentile	`4th percentile`

Description

Affected range	`<=8.14.1-r2`
Fixed version	Not Fixed
EPSS Score	`0.021%`
EPSS Percentile	`5th percentile`

Description

Affected range	`<=8.14.1-r2`
Fixed version	Not Fixed
EPSS Score	`0.036%`
EPSS Percentile	`10th percentile`

Description

Affected range	`<=8.14.1-r2`
Fixed version	Not Fixed
EPSS Score	`0.021%`
EPSS Percentile	`5th percentile`

Description

Affected range	`<=8.14.1-r2`
Fixed version	Not Fixed
EPSS Score	`0.015%`
EPSS Percentile	`2nd percentile`

Description

Affected range	`<=8.14.1-r2`
Fixed version	Not Fixed
EPSS Score	`0.049%`
EPSS Percentile	`15th percentile`

Description

ssl_client 1.36.1-r30 (apk)

pkg:apk/alpine/ssl_client@1.36.1-r30?arch=x86_64&distro=alpine-3.20.8&upstream=busybox

# api-server.Dockerfile (33:33)
FROM ${ALPINE_IMAGE}

Affected range	`<=1.36.1-r30`
Fixed version	Not Fixed
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Affected range	`<1.36.1-r31`
Fixed version	`1.36.1-r31`
EPSS Score	`0.031%`
EPSS Percentile	`8th percentile`

Description

Affected range	`<1.36.1-r31`
Fixed version	`1.36.1-r31`
EPSS Score	`0.024%`
EPSS Percentile	`6th percentile`

Description

libexpat 2.7.3-r0 (apk)

pkg:apk/alpine/libexpat@2.7.3-r0?arch=x86_64&distro=alpine-3.20.8&upstream=expat

# api-server.Dockerfile (34:34)
RUN apk --no-cache add ca-certificates libssl3 git

Affected range	`<2.7.4-r0`
Fixed version	`2.7.4-r0`
EPSS Score	`0.006%`
EPSS Percentile	`0th percentile`

Description

Affected range	`<2.7.4-r0`
Fixed version	`2.7.4-r0`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

gopkg.in/square/go-jose.v2 2.6.0 (golang)

pkg:golang/gopkg.in/square/go-jose.v2@2.6.0

# api-server.Dockerfile (36:36)
COPY --from=build /app /bin/app

Improper Handling of Highly Compressed Data (Data Amplification)

Affected range	`<=2.6.0`
Fixed version	Not Fixed
CVSS Score	`4.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L`
EPSS Score	`3.644%`
EPSS Percentile	`88th percentile`

Description

Impact

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting.

Patches

The problem is fixed in the following packages and versions:

github.com/go-jose/go-jose/v4 version 4.0.1

github.com/go-jose/go-jose/v3 version 3.0.3

gopkg.in/go-jose/go-jose.v2 version 2.6.3

The problem will not be fixed in the following package because the package is archived:

gopkg.in/square/go-jose.v2

github.com/docker/docker 27.3.1+incompatible (golang)

pkg:golang/github.com/docker/docker@27.3.1%2Bincompatible

# api-server.Dockerfile (36:36)
COPY --from=build /app /bin/app

Missing Initialization of Resource

Affected range	`>=26.0.0-rc1 <28.0.0`
Fixed version	`28.0.0`
CVSS Score	`3.3`
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (dockerd), which is developed as moby/moby is commonly referred to as Docker, or Docker Engine.

Firewalld is a daemon used by some Linux distributions to provide a dynamically managed firewall. When Firewalld is running, Docker uses its iptables backend to create rules, including rules to isolate containers in one bridge network from containers in other bridge networks.

Impact

The iptables rules created by Docker are removed when firewalld is reloaded using, for example "firewall-cmd --reload", "killall -HUP firewalld", or "systemctl reload firewalld".

When that happens, Docker must re-create the rules. However, in affected versions of Docker, the iptables rules that isolate containers in different bridge networks from each other are not re-created.

Once these rules have been removed, containers have access to any port, on any container, in any non-internal bridge network, running on the Docker host.

Containers running in networks created with --internal or equivalent have no access to other networks. Containers that are only connected to these networks remain isolated after a firewalld reload.

Where Docker Engine is not running in the host's network namespace, it is unaffected. Including, for example, Rootless Mode, and Docker Desktop.

Patches

Moby releases 28.0.0 and newer are not affected. A fix is available in moby release 25.0.13.

Workarounds

After reloading firewalld, either:

Restart the docker daemon,

Re-create bridge networks, or

Use rootless mode.

References

https://firewalld.org/ https://firewalld.org/documentation/howto/reload-firewalld.html

Description​

Steps to Reproduce​

Relevant Code Snippet​

Impact​

Impact​

Patches​

Impact​

Patches​

Workarounds​

References​

Description

Steps to Reproduce

Relevant Code Snippet

Impact

Impact

Patches

Impact

Patches

Workarounds

References