dex-v2.41.1_linux_arm64

digest	sha256:bc7cfce7c17f52864e2bb2a4dc1d2f86a41e3019f6d42e81d92a301fad0c8a1d
vulnerabilities
size	36 MB
packages	237

stdlib 1.22.4 (golang) pkg:golang/stdlib@1.22.4 Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 17th percentile Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 17th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range >=1.22.0-0 <1.22.5 Fixed version 1.22.5 EPSS Score 0.04% EPSS Percentile 17th percentile Description The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.19% EPSS Percentile 57th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 17th percentile Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

stdlib 1.22.5 (golang) pkg:golang/stdlib@1.22.5 Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 17th percentile Description Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 17th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.19% EPSS Percentile 57th percentile Description Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. Affected range <1.22.7 Fixed version 1.22.7 EPSS Score 0.04% EPSS Percentile 17th percentile Description Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

openssl 3.3.1-r3 (apk) pkg:apk/alpine/openssl@3.3.1-r3?os_name=alpine&os_version=3.20 Affected range <3.3.2-r0 Fixed version 3.3.2-r0 EPSS Score 0.04% EPSS Percentile 17th percentile Description Affected range <3.3.2-r1 Fixed version 3.3.2-r1 EPSS Score 0.04% EPSS Percentile 11th percentile Description

github.com/dexidp/dex 2.41.1 (golang) pkg:golang/github.com/dexidp/dex@2.41.1 Affected range >=0 Fixed version Not Fixed EPSS Score 0.06% EPSS Percentile 27th percentile Description Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.

github.com/aws/aws-sdk-go 1.54.10 (golang) pkg:golang/github.com/aws/aws-sdk-go@1.54.10 Affected range >=0 Fixed version Not Fixed EPSS Score 0.05% EPSS Percentile 21st percentile Description The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket. Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client. Affected range >=0 Fixed version Not Fixed EPSS Score 0.04% EPSS Percentile 14th percentile Description The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket. Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

google.golang.org/grpc 1.64.0 (golang) pkg:golang/google.golang.org/grpc@1.64.0 Exposure of Sensitive Information to an Unauthorized Actor Affected range >=1.64.0 <1.64.1 Fixed version 1.64.1 Description Impact This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information. Patches The issue first appeared in 1.64.0 and is patched in 1.64.1 and 1.65.0 Workarounds If using an affected version and upgrading is not possible, ensuring you do not log or print contexts will avoid the problem.