dex-v2.41.1_linux_amd64
digest | sha256:bdf1b97afc58a4b5696348d9f15f02654688a9620cf4ca510ff36fcbbf54a86e |
vulnerabilities | |
size | 38 MB |
packages | 237 |
stdlib |
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range |
|
Fixed version | 1.22.5 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.
An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.19% |
EPSS Percentile | 57th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
stdlib 1.22.5
(golang)
pkg:golang/stdlib@1.22.5
# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.19% |
EPSS Percentile | 57th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
openssl 3.3.1-r3
(apk)
pkg:apk/alpine/openssl@3.3.1-r3?os_name=alpine&os_version=3.20
# Dockerfile (38:57)
FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS stager
RUN mkdir -p /var/dex
RUN mkdir -p /etc/dex
COPY config.docker.yaml /etc/dex/
FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS gomplate
ARG TARGETOS
ARG TARGETARCH
ARG TARGETVARIANT
ENV GOMPLATE_VERSION=v4.0.1
RUN wget -O /usr/local/bin/gomplate \
"https://github.com/hairyhenderson/gomplate/releases/download/${GOMPLATE_VERSION}/gomplate_${TARGETOS:-linux}-${TARGETARCH:-amd64}${TARGETVARIANT}" \
&& chmod +x /usr/local/bin/gomplate
# For Dependabot to detect base image versions
FROM alpine:3.20.2@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 AS alpine
Affected range | <3.3.2-r0 |
Fixed version | 3.3.2-r0 |
EPSS Score | 0.04% |
EPSS Percentile | 17th percentile |
Description
Affected range | <3.3.2-r1 |
Fixed version | 3.3.2-r1 |
EPSS Score | 0.04% |
EPSS Percentile | 11th percentile |
Description
github.com/dexidp/dex 2.41.1
(golang)
pkg:golang/github.com/dexidp/dex@2.41.1
# Dockerfile (76:76)
COPY --from=builder /go/bin/dex /usr/local/bin/dex
Affected range | >=0 |
Fixed version | Not Fixed |
EPSS Score | 0.06% |
EPSS Percentile | 27th percentile |
Description
Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.
github.com/aws/aws-sdk-go 1.54.10
(golang)
pkg:golang/github.com/aws/aws-sdk-go@1.54.10
# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
Affected range | >=0 |
Fixed version | Not Fixed |
EPSS Score | 0.05% |
EPSS Percentile | 21st percentile |
Description
The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.
Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.
Affected range | >=0 |
Fixed version | Not Fixed |
EPSS Score | 0.04% |
EPSS Percentile | 14th percentile |
Description
The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.
Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.
google.golang.org/grpc 1.64.0
(golang)
pkg:golang/google.golang.org/grpc@1.64.0
# Dockerfile (80:80)
COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate
Exposure of Sensitive Information to an Unauthorized Actor
Affected range |
|
Fixed version | 1.64.1 |
Description
Impact
This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.
Patches
The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0
Workarounds
If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.