kube-webhook-certgen-0.0.4_linux_arm64
digest | sha256:316555536aa1676a0c1c1a646464a574216cc69f58e0db116d39970115dcb487 |
vulnerabilities | |
size | 9.7 MB |
packages | 48 |
golang.org/x/net |
Affected range |
|
Fixed version | 0.1.1-0.20221104162952-702349b0e862 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.17% |
EPSS Percentile | 55th percentile |
Description
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Specific Go Packages Affected
golang.org/x/net/http2/h2c
Affected range | <0.0.0-20220906165146-f3363e06e74c |
Fixed version | 0.0.0-20220906165146-f3363e06e74c |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.24% |
EPSS Percentile | 62nd percentile |
Description
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.
golang.org/x/text 0.3.7
(golang)
pkg:golang/golang.org/x/text@0.3.7
Missing Release of Resource after Effective Lifetime
Affected range | <0.3.8 |
Fixed version | 0.3.8 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
EPSS Score | 0.24% |
EPSS Percentile | 62nd percentile |
Description
The BCP 47 tag parser has quadratic time complexity due to inherent aspects of its design. Since the parser is, by design, exposed to untrusted user input, this can be leveraged to force a program to consume significant time parsing Accept-Language headers. The parser cannot be easily rewritten to fix this behavior for various reasons. Instead the solution implemented in this CL is to limit the total complexity of tags passed into ParseAcceptLanguage by limiting the number of dashes in the string to 1000. This should be more than enough for the majority of real world use cases, where the number of tags being sent is likely to be in the single digits.
Specific Go Packages Affected
golang.org/x/text/language
google.golang.org/protobuf 1.28.0
(golang)
pkg:golang/google.golang.org/protobuf@1.28.0
Loop with Unreachable Exit Condition ('Infinite Loop')
Affected range | <1.33.0 |
Fixed version | 1.33.0 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.