testkube-tw-init-2.1.150_linux_arm64

digest	`sha256:4f2e21ed32f702ccd440df800e83172b9948ed0c9dec5c7f0991b9e061ce3e4c`
vulnerabilities
platform	linux/arm64
size	16 MB
packages	137

golang.org/x/oauth2 0.26.0 (golang)

pkg:golang/golang.org/x/oauth2@0.26.0

# tw-init.Dockerfile (18:18)
COPY --from=build /app/testworkflow-init /init

Affected range	`<0.27.0`
Fixed version	`0.27.0`
EPSS Score	`0.056%`
EPSS Percentile	`18th percentile`

Description

An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

golang.org/x/net 0.34.0 (golang)

pkg:golang/golang.org/x/net@0.34.0

# tw-init.Dockerfile (18:18)
COPY --from=build /app/testworkflow-init /init

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<0.38.0`
Fixed version	`0.38.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N`
EPSS Score	`0.016%`
EPSS Percentile	`2nd percentile`

Description

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. $,, etc contexts).$

Misinterpretation of Input

Affected range	`<0.36.0`
Fixed version	`0.36.0`
CVSS Score	`4.4`
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L`
EPSS Score	`0.008%`
EPSS Percentile	`0th percentile`

Description

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.