testkube-migration-2.9.4_linux_amd64

digest	sha256:630086ff33c2e0ad2a6d4fbeff00e9e184d5a2e3948ee9e3211399bfdf81abce
vulnerabilities
platform	linux/amd64
size	53 MB
packages	291

stdlib 1.26.2 (golang) pkg:golang/stdlib@1.26.2 Affected range >=1.26.0-0 <1.26.3 Fixed version 1.26.3 EPSS Score 0.023% EPSS Percentile 7th percentile Description Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322. Affected range >=1.26.0-0 <1.26.3 Fixed version 1.26.3 EPSS Score 0.018% EPSS Percentile 5th percentile Description The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0). Affected range >=1.26.0-0 <1.26.3 Fixed version 1.26.3 EPSS Score 0.042% EPSS Percentile 13th percentile Description Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations. Affected range >=1.26.0-0 <1.26.3 Fixed version 1.26.3 EPSS Score 0.019% EPSS Percentile 5th percentile Description When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. Affected range >=1.26.0-0 <1.26.3 Fixed version 1.26.3 EPSS Score 0.018% EPSS Percentile 5th percentile Description When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash. Affected range >=1.26.0-0 <1.26.3 Fixed version 1.26.3 EPSS Score 0.015% EPSS Percentile 3rd percentile Description If a trusted template author were to write a </blockquote> </details> <a href="https://scout.docker.com/v/CVE-2026-39823?s=golang&n=stdlib&t=golang&vr=%3E%3D1.26.0-0%2C%3C1.26.3"><img alt="medium : CVE--2026--39823" src="https://img.shields.io/badge/CVE--2026--39823-lightgrey?label=medium%20&labelColor=fbb552"/></a> Affected range >=1.26.0-0 <1.26.3 Fixed version 1.26.3 EPSS Score 0.013% EPSS Percentile 2nd percentile Description CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS. Affected range >=1.26.0-0 <1.26.3 Fixed version 1.26.3 EPSS Score 0.012% EPSS Percentile 2nd percentile Description ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function. For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

github.com/docker/docker 28.5.2+incompatible (golang) pkg:golang/github.com/docker/docker@28.5.2%2Bincompatible Authentication Bypass Using an Alternate Path or Channel Affected range <29.3.1 Fixed version Not Fixed CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H EPSS Score 0.009% EPSS Percentile 1st percentile Description Summary A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for CVE-2024-41110. Impact If you don't use AuthZ plugins, you are not affected. Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted. Workarounds If unable to update immediately: Avoid using AuthZ plugins that rely on request body inspection for security decisions. Restrict access to the Docker API to trusted parties, following the principle of least privilege. Credits 1seal / Oleh Konko (@1seal) Cody (c@wormhole.guru) Asim Viladi Oglu Manizada (@manizada) Resources CVE-2024-41110 / GHSA-v23v-6jw2-98fq Off-by-one Error Affected range <29.3.1 Fixed version Not Fixed CVSS Score 6.8 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N EPSS Score 0.016% EPSS Percentile 4th percentile Description Summary A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. Impact If plugins are not in use, there is no impact. When a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved. Anyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted. Depending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access. For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins. Workarounds If unable to update immediately: Do not install plugins from untrusted sources Carefully review all privileges requested during docker plugin install Restrict access to the Docker daemon to trusted parties, following the principle of least privilege Avoid relying on plugin privilege approval as the only control boundary for sensitive environments Credits Reported by Cody (c@wormhole.guru, PGP 0x9FA5B73E)

github.com/docker/cli 29.4.0+incompatible (golang) pkg:golang/github.com/docker/cli@29.4.0%2Bincompatible Affected range >=19.03.0+incompatible Fixed version Not Fixed EPSS Score 0.020% EPSS Percentile 6th percentile Description Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli