     libssl3 3.3.5-r0 (apk)
pkg:apk/alpine/libssl3@3.3.5-r0?arch=x86_64&distro=alpine-3.20.8&upstream=openssl
# tw-toolkit.Dockerfile (24:24)
FROM ${ALPINE_IMAGE}
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.705% | | EPSS Percentile | 72nd percentile |
Description
| Affected range | <3.3.7-r0 | | Fixed version | 3.3.7-r0 | | EPSS Score | 0.024% | | EPSS Percentile | 6th percentile |
Description
| Affected range | <3.3.7-r0 | | Fixed version | 3.3.7-r0 | | EPSS Score | 0.058% | | EPSS Percentile | 18th percentile |
Description
| Affected range | <3.3.7-r0 | | Fixed version | 3.3.7-r0 | | EPSS Score | 0.058% | | EPSS Percentile | 18th percentile |
Description
| Affected range | <3.3.7-r0 | | Fixed version | 3.3.7-r0 | | EPSS Score | 0.030% | | EPSS Percentile | 8th percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.036% | | EPSS Percentile | 10th percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.303% | | EPSS Percentile | 54th percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.063% | | EPSS Percentile | 20th percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.067% | | EPSS Percentile | 21st percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.022% | | EPSS Percentile | 6th percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.021% | | EPSS Percentile | 6th percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.117% | | EPSS Percentile | 30th percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.027% | | EPSS Percentile | 8th percentile |
Description
| Affected range | <3.3.6-r0 | | Fixed version | 3.3.6-r0 | | EPSS Score | 0.008% | | EPSS Percentile | 1st percentile |
Description
| Affected range | <3.3.7-r0 | | Fixed version | 3.3.7-r0 | | EPSS Score | 0.012% | | EPSS Percentile | 2nd percentile |
Description
| Affected range | <3.3.7-r0 | | Fixed version | 3.3.7-r0 | | EPSS Score | 0.021% | | EPSS Percentile | 6th percentile |
Description |
  stdlib 1.26.1 (golang)
pkg:golang/stdlib@1.26.1
# tw-toolkit.Dockerfile (28:28)
COPY --from=build /app/testworkflow-init /init
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 | | EPSS Score | 0.011% | | EPSS Percentile | 1st percentile |
Description
When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 | | EPSS Score | 0.021% | | EPSS Percentile | 6th percentile |
Description
If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
This only affects TLS 1.3.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 | | EPSS Score | 0.021% | | EPSS Percentile | 6th percentile |
Description
Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.
This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 | | EPSS Score | 0.021% | | EPSS Percentile | 6th percentile |
Description
During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 | | EPSS Score | 0.008% | | EPSS Percentile | 1st percentile |
Description
On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.
The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 | | EPSS Score | 0.014% | | EPSS Percentile | 3rd percentile |
Description
Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.
These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.
| Affected range | >=1.26.0-0
<1.26.2
| | Fixed version | 1.26.2 | | EPSS Score | 0.006% | | EPSS Percentile | 0th percentile |
Description
tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.
|
   libcurl 8.14.1-r2 (apk)
pkg:apk/alpine/libcurl@8.14.1-r2?arch=x86_64&distro=alpine-3.20.8&upstream=curl
# tw-toolkit.Dockerfile (25:25)
RUN apk --no-cache add ca-certificates libssl3 git openssh-client
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.042% | | EPSS Percentile | 13th percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.016% | | EPSS Percentile | 4th percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.062% | | EPSS Percentile | 19th percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.007% | | EPSS Percentile | 1st percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.011% | | EPSS Percentile | 1st percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.017% | | EPSS Percentile | 4th percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.035% | | EPSS Percentile | 10th percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.045% | | EPSS Percentile | 14th percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.026% | | EPSS Percentile | 7th percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.020% | | EPSS Percentile | 5th percentile |
Description
| Affected range | <=8.14.1-r2 | | Fixed version | Not Fixed | | EPSS Score | 0.084% | | EPSS Percentile | 24th percentile |
Description |
 musl 1.2.5-r1 (apk)
pkg:apk/alpine/musl@1.2.5-r1?arch=x86_64&distro=alpine-3.20.8
# tw-toolkit.Dockerfile (24:24)
FROM ${ALPINE_IMAGE}
| Affected range | <1.2.5-r3 | | Fixed version | 1.2.5-r3 | | EPSS Score | 0.018% | | EPSS Percentile | 5th percentile |
Description
| Affected range | <1.2.5-r2 | | Fixed version | 1.2.5-r2 | | EPSS Score | 0.014% | | EPSS Percentile | 3rd percentile |
Description |
c-ares 1.33.1-r0 (apk)
pkg:apk/alpine/c-ares@1.33.1-r0?arch=x86_64&distro=alpine-3.20.8
# tw-toolkit.Dockerfile (25:25)
RUN apk --no-cache add ca-certificates libssl3 git openssh-client
| Affected range | <=1.33.1-r0 | | Fixed version | Not Fixed | | EPSS Score | 0.618% | | EPSS Percentile | 70th percentile |
Description
| Affected range | <=1.33.1-r0 | | Fixed version | Not Fixed | | EPSS Score | 0.029% | | EPSS Percentile | 8th percentile |
Description |
 nghttp2-libs 1.62.1-r0 (apk)
pkg:apk/alpine/nghttp2-libs@1.62.1-r0?arch=x86_64&distro=alpine-3.20.8&upstream=nghttp2
# tw-toolkit.Dockerfile (25:25)
RUN apk --no-cache add ca-certificates libssl3 git openssh-client
| Affected range | <=1.62.1-r0 | | Fixed version | Not Fixed | | EPSS Score | 0.017% | | EPSS Percentile | 4th percentile |
Description |
github.com/moby/spdystream 0.5.0 (golang)
pkg:golang/github.com/moby/spdystream@0.5.0
# tw-toolkit.Dockerfile (28:28)
COPY --from=build /app/testworkflow-init /init
 Allocation of Resources Without Limits or Throttling
| Affected range | <=0.5.0 | | Fixed version | 0.5.1 | | CVSS Score | 8.7 | | CVSS Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Description
The SPDY/3 frame parser in spdystream does not validate
attacker-controlled counts and lengths before allocating memory. A
remote peer that can send SPDY frames to a service using spdystream can
cause the process to allocate gigabytes of memory with a small number of
malformed control frames, leading to an out-of-memory crash.
Three allocation paths in the receive side are affected:
- SETTINGS entry count -- The SETTINGS frame reader reads a 32-bit
numSettings from the payload and allocates a slice of that size
without checking it against the declared frame length. An attacker
can set numSettings to a value far exceeding the actual payload,
triggering a large allocation before any setting data is read.
- Header count --
parseHeaderValueBlock reads a 32-bit
numHeaders from the decompressed header block and allocates an
http.Header map of that size with no upper bound.
- Header field size -- Individual header name and value lengths are
read as 32-bit integers and used directly as allocation sizes with
no validation.
Because SPDY header blocks are zlib-compressed, a small on-the-wire
payload can decompress into attacker-controlled bytes that the parser
interprets as 32-bit counts and lengths. A single crafted frame is
enough to exhaust process memory.
Impact
Any program that accepts SPDY connections using spdystream -- directly
or through a dependent library -- is affected. A remote peer that can
send SPDY frames to the service can crash the process with a single
crafted SPDY control frame, causing denial of service.
Affected versions
github.com/moby/spdystream <= v0.5.0
Fix
v0.5.1 addresses the receive-side allocation bugs and adds related
hardening:
Core fixes:
- SETTINGS entry-count validation -- The SETTINGS frame reader now
checks that
numSettings is consistent with the declared frame
length (numSettings <= (length-4)/8) before allocating.
- Header count limit --
parseHeaderValueBlock enforces a maximum
number of headers per frame (default: 1000).
- Header field size limit -- Individual header name and value
lengths are checked against a per-field size limit (default: 1 MiB)
before allocation.
- Connection closure on protocol error -- The connection read loop
now closes the underlying
net.Conn when it encounters an
InvalidControlFrame error, preventing further exploitation on the
same connection.
Additional hardening:
- Write-side bounds checks -- All frame write methods now verify
that payloads fit within the 24-bit length field, preventing the
library from producing invalid frames.
Configurable limits:
- Callers can adjust the defaults using
NewConnectionWithOptions or
the lower-level spdy.NewFramerWithOptions with functional options:
WithMaxControlFramePayloadSize, WithMaxHeaderFieldSize, and
WithMaxHeaderCount.
|
github.com/docker/cli 29.3.0+incompatible (golang)
pkg:golang/github.com/docker/cli@29.3.0%2Bincompatible
# tw-toolkit.Dockerfile (28:28)
COPY --from=build /app/testworkflow-init /init
| Affected range | >=19.03.0+incompatible | | Fixed version | Not Fixed | | EPSS Score | 0.023% | | EPSS Percentile | 6th percentile |
Description
Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli
|
   openssh-keygen 9.7_p1-r5 (apk)
pkg:apk/alpine/openssh-keygen@9.7_p1-r5?arch=x86_64&distro=alpine-3.20.8&upstream=openssh
# tw-toolkit.Dockerfile (25:25)
RUN apk --no-cache add ca-certificates libssl3 git openssh-client
| Affected range | <=9.7_p1-r5 | | Fixed version | Not Fixed | | EPSS Score | 0.274% | | EPSS Percentile | 51st percentile |
Description
| Affected range | <=9.7_p1-r5 | | Fixed version | Not Fixed | | EPSS Score | 0.020% | | EPSS Percentile | 5th percentile |
Description
| Affected range | <=9.7_p1-r5 | | Fixed version | Not Fixed | | EPSS Score | 0.016% | | EPSS Percentile | 4th percentile |
Description
| Affected range | <=9.7_p1-r5 | | Fixed version | Not Fixed | | EPSS Score | 0.011% | | EPSS Percentile | 1st percentile |
Description |
ssl_client 1.36.1-r30 (apk)
pkg:apk/alpine/ssl_client@1.36.1-r30?arch=x86_64&distro=alpine-3.20.8&upstream=busybox
# tw-toolkit.Dockerfile (24:24)
FROM ${ALPINE_IMAGE}
| Affected range | <=1.36.1-r30 | | Fixed version | Not Fixed | | EPSS Score | 0.043% | | EPSS Percentile | 13th percentile |
Description
| Affected range | <1.36.1-r31 | | Fixed version | 1.36.1-r31 | | EPSS Score | 0.083% | | EPSS Percentile | 24th percentile |
Description
| Affected range | <1.36.1-r31 | | Fixed version | 1.36.1-r31 | | EPSS Score | 0.077% | | EPSS Percentile | 23rd percentile |
Description |
zlib 1.3.1-r1 (apk)
pkg:apk/alpine/zlib@1.3.1-r1?arch=x86_64&distro=alpine-3.20.8
# tw-toolkit.Dockerfile (24:24)
FROM ${ALPINE_IMAGE}
| Affected range | <1.3.2-r0 | | Fixed version | 1.3.2-r0 | | EPSS Score | 0.006% | | EPSS Percentile | 0th percentile |
Description
| Affected range | <1.3.2-r0 | | Fixed version | 1.3.2-r0 | | EPSS Score | 0.007% | | EPSS Percentile | 1st percentile |
Description |
