nats-server-config-reloader-0.22.3_linux_arm64

digest	sha256:ebea4dc8ce97398dcacc4de6ec77ca040d48f4fa5a612954b4ea89943e35d7ce
vulnerabilities
platform	linux/arm64
size	5.4 MB
packages	24

stdlib 1.25.6 (golang) pkg:golang/stdlib@1.25.6 # Dockerfile (38:38) COPY --from=deps /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ Affected range >=1.25.0-0 <1.25.7 Fixed version 1.25.7 EPSS Score 0.017% EPSS Percentile 4th percentile Description During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.033% EPSS Percentile 10th percentile Description url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.012% EPSS Percentile 2nd percentile Description Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0. Affected range <1.25.8 Fixed version 1.25.8 EPSS Score 0.005% EPSS Percentile 0th percentile Description On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.011% EPSS Percentile 1st percentile Description Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.009% EPSS Percentile 1st percentile Description tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.010% EPSS Percentile 1st percentile Description On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. Affected range <1.25.9 Fixed version 1.25.9 EPSS Score 0.007% EPSS Percentile 0th percentile Description Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

openssl 3.5.5-r0 (apk) pkg:apk/alpine/openssl@3.5.5-r0?os_name=alpine&os_version=3.23 # Dockerfile (4:31) FROM alpine:3.23.3 AS deps ARG GO_APP ARG GORELEASER_DIST_DIR=/go/src/dist ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT RUN mkdir -p /go/bin /go/src ${GORELEASER_DIST_DIR} COPY --from=build ${GORELEASER_DIST_DIR}/ ${GORELEASER_DIST_DIR} RUN <<EOT set -e apk add --no-cache ca-certificates jq cd ${GORELEASER_DIST_DIR}/.. if [[ ${TARGETARCH} == "arm" ]]; then VARIANT=$(echo ${TARGETVARIANT} | sed 's/^v//'); fi BIN_PATH=$(jq -r ".[] |select(.type == \"Binary\" and \ .name == \"${GO_APP}\" and \ .goos == \"${TARGETOS}\" and \ .goarch == \"${TARGETARCH}\" and \ (.goarm == \"${VARIANT}\" or .goarm == null)) | .path" < /go/src/dist/artifacts.json) cp ${BIN_PATH} /go/bin EOT FROM alpine:3.23.3 Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.012% EPSS Percentile 1st percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.045% EPSS Percentile 14th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.011% EPSS Percentile 1st percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.029% EPSS Percentile 8th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.029% EPSS Percentile 8th percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.011% EPSS Percentile 1st percentile Description Affected range <3.5.6-r0 Fixed version 3.5.6-r0 EPSS Score 0.020% EPSS Percentile 5th percentile Description

zlib 1.3.1-r2 (apk) pkg:apk/alpine/zlib@1.3.1-r2?os_name=alpine&os_version=3.23 # Dockerfile (4:31) FROM alpine:3.23.3 AS deps ARG GO_APP ARG GORELEASER_DIST_DIR=/go/src/dist ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT RUN mkdir -p /go/bin /go/src ${GORELEASER_DIST_DIR} COPY --from=build ${GORELEASER_DIST_DIR}/ ${GORELEASER_DIST_DIR} RUN <<EOT set -e apk add --no-cache ca-certificates jq cd ${GORELEASER_DIST_DIR}/.. if [[ ${TARGETARCH} == "arm" ]]; then VARIANT=$(echo ${TARGETVARIANT} | sed 's/^v//'); fi BIN_PATH=$(jq -r ".[] |select(.type == \"Binary\" and \ .name == \"${GO_APP}\" and \ .goos == \"${TARGETOS}\" and \ .goarch == \"${TARGETARCH}\" and \ (.goarm == \"${VARIANT}\" or .goarm == null)) | .path" < /go/src/dist/artifacts.json) cp ${BIN_PATH} /go/bin EOT FROM alpine:3.23.3 Affected range <1.3.2-r0 Fixed version 1.3.2-r0 EPSS Score 0.017% EPSS Percentile 4th percentile Description Affected range <1.3.2-r0 Fixed version 1.3.2-r0 EPSS Score 0.007% EPSS Percentile 1st percentile Description

busybox 1.37.0-r30 (apk) pkg:apk/alpine/busybox@1.37.0-r30?os_name=alpine&os_version=3.23 # Dockerfile (4:31) FROM alpine:3.23.3 AS deps ARG GO_APP ARG GORELEASER_DIST_DIR=/go/src/dist ARG TARGETOS ARG TARGETARCH ARG TARGETVARIANT RUN mkdir -p /go/bin /go/src ${GORELEASER_DIST_DIR} COPY --from=build ${GORELEASER_DIST_DIR}/ ${GORELEASER_DIST_DIR} RUN <<EOT set -e apk add --no-cache ca-certificates jq cd ${GORELEASER_DIST_DIR}/.. if [[ ${TARGETARCH} == "arm" ]]; then VARIANT=$(echo ${TARGETVARIANT} | sed 's/^v//'); fi BIN_PATH=$(jq -r ".[] |select(.type == \"Binary\" and \ .name == \"${GO_APP}\" and \ .goos == \"${TARGETOS}\" and \ .goarch == \"${TARGETARCH}\" and \ (.goarm == \"${VARIANT}\" or .goarm == null)) | .path" < /go/src/dist/artifacts.json) cp ${BIN_PATH} /go/bin EOT FROM alpine:3.23.3 Affected range <=1.37.0-r30 Fixed version Not Fixed EPSS Score 0.045% EPSS Percentile 14th percentile Description