testkube-enterprise-api-2.9.5_linux_amd64

digest	sha256:67b9928451cbf75e14250c3d755aedd1fffd567ba4815a128ea970364573913e
vulnerabilities
platform	linux/amd64
size	78 MB
packages	342

github.com/go-git/go-git/v5 5.16.5 (golang) pkg:golang/github.com/go-git/go-git/v5@5.16.5 Incorrect Behavior Order: Validate Before Canonicalize Affected range <5.19.0 Fixed version 5.19.0 CVSS Score 7 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N Description Impact go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. Patches Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version. Credit Thanks to @bugbunny-research (https://bugbunny.ai/) for reporting this to sigstore/gitsign, and to @wlynch, @patzielinski and @adityasaky for coordinating the disclosure with the go-git project. :bow: 🥇 Thanks to @wayphinder for reporting this to the go-git project. :bow: Integer Underflow (Wrap or Wraparound) Affected range >=5.0.0 <=5.17.0 Fixed version 5.17.1 CVSS Score 5 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H EPSS Score 0.006% EPSS Percentile 0th percentile Description Impact A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. Patches Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability. Credit The go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project. Insufficiently Protected Credentials Affected range <=5.17.2 Fixed version 5.18.0 CVSS Score 4.7 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N EPSS Score 0.057% EPSS Percentile 18th percentile Description Impact go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host. An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential. Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data. Patches Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version. The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically. Credit Thanks to the 3 separate reports from @celinke97, @N0zoM1z0 and @AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. :bow: Improper Validation of Array Index Affected range <=5.17.0 Fixed version 5.17.1 CVSS Score 2.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L EPSS Score 0.006% EPSS Percentile 0th percentile Description Impact go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. An attacker able to supply a crafted .git/index file can cause applications using go-git to panic while reading the index. If the application does not recover from panics, this results in process termination, leading to a denial-of-service (DoS) condition. Exploitation requires the ability to modify or inject a Git index file within the local repository in disk. This typically implies write access to the .git directory. Patches Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability. Credit go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.

github.com/go-git/go-billy/v5 5.6.2 (golang) pkg:golang/github.com/go-git/go-billy/v5@5.6.2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range <5.9.0 Fixed version 5.9.0 CVSS Score 8.1 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Description Impact Multiple path traversal issues exist across different components of go-billy. Insufficient path sanitization and boundary enforcement may allow crafted paths (e.g., using ..) to escape intended base directories. While go-billy was not originally designed to provide a strong security boundary, some of these issues were inconsistent across some of the built-in implementations. This results in scenarios where applications relying on go-billy for some level of isolation may inadvertently expose access to unintended filesystem locations. The osfs.ChrootOS implementation is notably affected by this vulnerability and is now deprecated in v5, removed at v6. Users are recommended to move on to osfs.BoundOS instead: osfs.New(path, WithBoundOS()). Users requiring stronger security boundary enforcement are recommended to upgrade to v6, where the osfs implementation are backed by the traversal-resistant primitive os.Root. Patches Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version. Credits Thanks to @faran66 and @vnykmshr for finding and separately reporting this issue privately to the go-git project. 🙇 Uncontrolled Recursion Affected range <5.9.0 Fixed version 5.9.0 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Description Impact Multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. Patches Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-billy version. Credits Thanks to @faran66 for finding and reporting this issue privately to the go-git project. 🙇

github.com/docker/docker 28.5.2+incompatible (golang) pkg:golang/github.com/docker/docker@28.5.2%2Bincompatible Authentication Bypass Using an Alternate Path or Channel Affected range <29.3.1 Fixed version Not Fixed CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.009% EPSS Percentile 1st percentile Description Summary A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for CVE-2024-41110. Impact If you don't use AuthZ plugins, you are not affected. Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted. Workarounds If unable to update immediately: Avoid using AuthZ plugins that rely on request body inspection for security decisions. Restrict access to the Docker API to trusted parties, following the principle of least privilege. Credits 1seal / Oleh Konko (@1seal) Cody (c@wormhole.guru) Asim Viladi Oglu Manizada (@manizada) Resources CVE-2024-41110 / GHSA-v23v-6jw2-98fq Off-by-one Error Affected range <29.3.1 Fixed version Not Fixed CVSS Score 6.8 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N EPSS Score 0.016% EPSS Percentile 4th percentile Description Summary A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. Impact If plugins are not in use, there is no impact. When a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved. Anyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted. Depending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access. For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins. Workarounds If unable to update immediately: Do not install plugins from untrusted sources Carefully review all privileges requested during docker plugin install Restrict access to the Docker daemon to trusted parties, following the principle of least privilege Avoid relying on plugin privilege approval as the only control boundary for sensitive environments Credits Reported by Cody (c@wormhole.guru, PGP 0x9FA5B73E)

github.com/docker/cli 29.4.0+incompatible (golang) pkg:golang/github.com/docker/cli@29.4.0%2Bincompatible Affected range >=19.03.0+incompatible Fixed version Not Fixed EPSS Score 0.023% EPSS Percentile 7th percentile Description Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli

github.com/cloudflare/circl 1.6.1 (golang) pkg:golang/github.com/cloudflare/circl@1.6.1 Incorrect Calculation Affected range <1.6.3 Fixed version 1.6.3 CVSS Score 2.9 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber EPSS Score 0.023% EPSS Percentile 7th percentile Description The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3.