testkube-enterprise-api-2.9.1_linux_amd64

digest	sha256:f6371d7a4e0ddcd4230851d5cf28a9e02d1e0a58eeab2a31e45ab27deafe9922
vulnerabilities
platform	linux/amd64
size	78 MB
packages	345

github.com/docker/docker 28.5.2+incompatible (golang) pkg:golang/github.com/docker/docker@28.5.2%2Bincompatible Authentication Bypass Using an Alternate Path or Channel Affected range <29.3.1 Fixed version Not Fixed CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.008% EPSS Percentile 1st percentile Description Summary A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for CVE-2024-41110. Impact If you don't use AuthZ plugins, you are not affected. Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted. Workarounds If unable to update immediately: Avoid using AuthZ plugins that rely on request body inspection for security decisions. Restrict access to the Docker API to trusted parties, following the principle of least privilege. Credits 1seal / Oleh Konko (@1seal) Cody (c@wormhole.guru) Asim Viladi Oglu Manizada (@manizada) Resources CVE-2024-41110 / GHSA-v23v-6jw2-98fq Off-by-one Error Affected range <29.3.1 Fixed version Not Fixed CVSS Score 6.8 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N EPSS Score 0.015% EPSS Percentile 3rd percentile Description Summary A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. Impact If plugins are not in use, there is no impact. When a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved. Anyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted. Depending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access. For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins. Workarounds If unable to update immediately: Do not install plugins from untrusted sources Carefully review all privileges requested during docker plugin install Restrict access to the Docker daemon to trusted parties, following the principle of least privilege Avoid relying on plugin privilege approval as the only control boundary for sensitive environments Credits Reported by Cody (c@wormhole.guru, PGP 0x9FA5B73E)

github.com/docker/cli 29.4.0+incompatible (golang) pkg:golang/github.com/docker/cli@29.4.0%2Bincompatible Affected range >=19.03.0+incompatible Fixed version Not Fixed EPSS Score 0.023% EPSS Percentile 6th percentile Description Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli

github.com/go-git/go-git/v5 5.16.5 (golang) pkg:golang/github.com/go-git/go-git/v5@5.16.5 Integer Underflow (Wrap or Wraparound) Affected range >=5.0.0 <=5.17.0 Fixed version 5.17.1 CVSS Score 5 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H EPSS Score 0.005% EPSS Percentile 0th percentile Description Impact A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. Patches Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability. Credit The go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project. Insufficiently Protected Credentials Affected range <=5.17.2 Fixed version 5.18.0 CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N Description Impact go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host. An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential. Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data. Patches Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version. The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically. Credit Thanks to the 3 separate reports from @celinke97, @N0zoM1z0 and @AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. :bow: Improper Validation of Array Index Affected range <=5.17.0 Fixed version 5.17.1 CVSS Score 2.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L EPSS Score 0.014% EPSS Percentile 2nd percentile Description Impact go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory. Patches Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability. Credit go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.

github.com/cloudflare/circl 1.6.1 (golang) pkg:golang/github.com/cloudflare/circl@1.6.1 Incorrect Calculation Affected range <1.6.3 Fixed version 1.6.3 CVSS Score 2.9 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber EPSS Score 0.022% EPSS Percentile 6th percentile Description The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3.