Skip to main content
New to Testkube? Unleash the power of cloud native testing in Kubernetes with Testkube. Get Started >

dex-v2.41.1_linux_arm64

digestsha256:bc7cfce7c17f52864e2bb2a4dc1d2f86a41e3019f6d42e81d92a301fad0c8a1d
vulnerabilitiescritical: 0 high: 9 medium: 1 low: 2 unspecified: 3
size36 MB
packages237
critical: 0 high: 4 medium: 0 low: 0 unspecified: 1stdlib 1.22.4 (golang)

pkg:golang/stdlib@1.22.4
high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2024--24791

Affected range
>=1.22.0-0
<1.22.5
Fixed version1.22.5
EPSS Score0.04%
EPSS Percentile17th percentile
Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

unspecified : CVE--2024--34155

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

critical: 0 high: 3 medium: 0 low: 0 unspecified: 1stdlib 1.22.5 (golang)

pkg:golang/stdlib@1.22.5
high : CVE--2024--34158

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

high : CVE--2024--34156

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

high : CVE--2022--30635

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.19%
EPSS Percentile57th percentile
Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

unspecified : CVE--2024--34155

Affected range<1.22.7
Fixed version1.22.7
EPSS Score0.04%
EPSS Percentile17th percentile
Description

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

critical: 0 high: 1 medium: 0 low: 0 unspecified: 1openssl 3.3.1-r3 (apk)

pkg:apk/alpine/openssl@3.3.1-r3?os_name=alpine&os_version=3.20
high : CVE--2024--6119

Affected range<3.3.2-r0
Fixed version3.3.2-r0
EPSS Score0.04%
EPSS Percentile17th percentile
Description

unspecified : CVE--2024--9143

Affected range<3.3.2-r1
Fixed version3.3.2-r1
EPSS Score0.04%
EPSS Percentile11th percentile
Description
critical: 0 high: 1 medium: 0 low: 0 github.com/dexidp/dex 2.41.1 (golang)

pkg:golang/github.com/dexidp/dex@2.41.1
high : CVE--2024--23656

Affected range>=0
Fixed versionNot Fixed
EPSS Score0.06%
EPSS Percentile27th percentile
Description

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex.

NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.

(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)

The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.

critical: 0 high: 0 medium: 1 low: 1 github.com/aws/aws-sdk-go 1.54.10 (golang)

pkg:golang/github.com/aws/aws-sdk-go@1.54.10
medium : CVE--2020--8911

Affected range>=0
Fixed versionNot Fixed
EPSS Score0.05%
EPSS Percentile21st percentile
Description

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

low : CVE--2020--8912

Affected range>=0
Fixed versionNot Fixed
EPSS Score0.04%
EPSS Percentile14th percentile
Description

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket.

Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

critical: 0 high: 0 medium: 0 low: 1 google.golang.org/grpc 1.64.0 (golang)

pkg:golang/google.golang.org/grpc@1.64.0
low : GHSA--xr7q--jx4m--x55m Exposure of Sensitive Information to an Unauthorized Actor

Affected range
>=1.64.0
<1.64.1
Fixed version1.64.1
Description

Impact

This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information.

Patches

The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0

Workarounds

If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.