╭ [0] ╭ Target: nmaguiar/imgutils:latest (alpine 3.22.0_alpha20250108)
│ ├ Class : os-pkgs
│ ╰ Type : alpine
├ [1] ╭ Target : Java
│ ├ Class : lang-pkgs
│ ├ Type : jar
│ ╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2025-25193
│ │ ├ PkgName : io.netty:netty-common
│ │ ├ PkgPath : openaf/Kube/netty-common-4.1.115.Final.jar
│ │ ├ PkgIdentifier ╭ PURL: pkg:maven/io.netty/netty-common@4.1.115.Final
│ │ │ ╰ UID : ddba42e9c4528b76
│ │ ├ InstalledVersion: 4.1.115.Final
│ │ ├ Status : affected
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ SeveritySource : ghsa
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-25193
│ │ ├ DataSource ╭ ID : ghsa
│ │ │ ├ Name: GitHub Security Advisory Maven
│ │ │ ╰ URL : https://github.com/advisories?query=type%3Areviewed+ec
│ │ │ osystem%3Amaven
│ │ ├ Title : Denial of Service attack on windows app using Netty
│ │ ├ Description : Netty, an asynchronous, event-driven network application
│ │ │ framework, has a vulnerability in versions up to and
│ │ │ including 4.1.118.Final. An unsafe reading of environment
│ │ │ file could potentially cause a denial of service in Netty.
│ │ │ When loaded on an Windows application, Netty attempts to load
│ │ │ a file that does not exist. If an attacker creates such a
│ │ │ large file, the Netty application crash. A similar issue was
│ │ │ previously reported as CVE-2024-47535. This issue was fixed,
│ │ │ but the fix was incomplete in that null-bytes were not
│ │ │ counted against the input limit. Commit
│ │ │ d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated
│ │ │ fix.
│ │ ├ Severity : MEDIUM
│ │ ├ CweIDs ─ [0]: CWE-400
│ │ ├ VendorSeverity ─ ghsa: 2
│ │ ├ CVSS ─ ghsa ╭ V3Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
│ │ │ ╰ V3Score : 5.5
│ │ ├ References ╭ [0]: https://github.com/netty/netty
│ │ │ ├ [1]: https://github.com/netty/netty/commit/d1fbda62d3a47835d
│ │ │ │ 3fb35db8bd42ecc205a5386
│ │ │ ├ [2]: https://github.com/netty/netty/security/advisories/GHSA
│ │ │ │ -389x-839f-4rhx
│ │ │ ╰ [3]: https://nvd.nist.gov/vuln/detail/CVE-2025-25193
│ │ ├ PublishedDate : 2025-02-10T22:15:38.45Z
│ │ ╰ LastModifiedDate: 2025-02-10T22:15:38.45Z
│ ╰ [1] ╭ VulnerabilityID : CVE-2025-24970
│ ├ PkgName : io.netty:netty-handler
│ ├ PkgPath : openaf/Kube/netty-handler-4.1.115.Final.jar
│ ├ PkgIdentifier ╭ PURL: pkg:maven/io.netty/netty-handler@4.1.115.Final
│ │ ╰ UID : fd229ca8f6181102
│ ├ InstalledVersion: 4.1.115.Final
│ ├ FixedVersion : 4.1.118.Final
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ SeveritySource : ghsa
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-24970
│ ├ DataSource ╭ ID : ghsa
│ │ ├ Name: GitHub Security Advisory Maven
│ │ ╰ URL : https://github.com/advisories?query=type%3Areviewed+ec
│ │ osystem%3Amaven
│ ├ Title : SslHandler doesn't correctly validate packets which can lead
│ │ to native crash when using native SSLEngine
│ ├ Description : Netty, an asynchronous, event-driven network application
│ │ framework, has a vulnerability starting in version
│ │ 4.1.91.Final and prior to version 4.1.118.Final. When a
│ │ special crafted packet is received via SslHandler it doesn't
│ │ correctly handle validation of such a packet in all cases
│ │ which can lead to a native crash. Version 4.1.118.Final
│ │ contains a patch. As workaround its possible to either
│ │ disable the usage of the native SSLEngine or change the code
│ │ manually.
│ ├ Severity : HIGH
│ ├ CweIDs ─ [0]: CWE-20
│ ├ VendorSeverity ─ ghsa: 3
│ ├ CVSS ─ ghsa ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
│ │ ╰ V3Score : 7.5
│ ├ References ╭ [0]: https://github.com/netty/netty
│ │ ├ [1]: https://github.com/netty/netty/commit/87f40725155b2f89a
│ │ │ dfde68c7732f97c153676c4
│ │ ├ [2]: https://github.com/netty/netty/security/advisories/GHSA
│ │ │ -4g8c-wm8x-jfhw
│ │ ╰ [3]: https://nvd.nist.gov/vuln/detail/CVE-2025-24970
│ ├ PublishedDate : 2025-02-10T22:15:38.057Z
│ ╰ LastModifiedDate: 2025-02-10T22:15:38.057Z
├ [2] ╭ Target : usr/bin/crictl
│ ├ Class : lang-pkgs
│ ├ Type : gobinary
│ ╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2024-45338
│ │ ├ PkgID : golang.org/x/net@v0.30.0
│ │ ├ PkgName : golang.org/x/net
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/golang.org/x/net@v0.30.0
│ │ │ ╰ UID : 9ce1984a5172bc7c
│ │ ├ InstalledVersion: v0.30.0
│ │ ├ FixedVersion : 0.33.0
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ SeveritySource : ghsa
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45338
│ │ ├ DataSource ╭ ID : ghsa
│ │ │ ├ Name: GitHub Security Advisory Go
│ │ │ ╰ URL : https://github.com/advisories?query=type%3Areviewed+ec
│ │ │ osystem%3Ago
│ │ ├ Title : golang.org/x/net/html: Non-linear parsing of case-insensitive
│ │ │ content in golang.org/x/net/html
│ │ ├ Description : An attacker can craft an input to the Parse functions that
│ │ │ would be processed non-linearly with respect to its length,
│ │ │ resulting in extremely slow parsing. This could cause a
│ │ │ denial of service.
│ │ ├ Severity : HIGH
│ │ ├ CweIDs ─ [0]: CWE-1333
│ │ ├ VendorSeverity ╭ amazon : 3
│ │ │ ├ azure : 3
│ │ │ ├ cbl-mariner: 3
│ │ │ ├ ghsa : 3
│ │ │ ├ redhat : 3
│ │ │ ╰ ubuntu : 2
│ │ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/
│ │ │ │ A:H
│ │ │ ╰ V3Score : 7.5
│ │ ├ References ╭ [0] : https://access.redhat.com/security/cve/CVE-2024-45338
│ │ │ ├ [1] : https://cs.opensource.google/go/x/net
│ │ │ ├ [2] : https://github.com/golang/go/issues/70906
│ │ │ ├ [3] : https://go-review.googlesource.com/c/net/+/637536
│ │ │ ├ [4] : https://go.dev/cl/637536
│ │ │ ├ [5] : https://go.dev/issue/70906
│ │ │ ├ [6] : https://groups.google.com/g/golang-announce/c/wSCRmFnN
│ │ │ │ mPA/m/Lvcd0mRMAwAJ
│ │ │ ├ [7] : https://nvd.nist.gov/vuln/detail/CVE-2024-45338
│ │ │ ├ [8] : https://pkg.go.dev/vuln/GO-2024-3333
│ │ │ ├ [9] : https://ubuntu.com/security/notices/USN-7197-1
│ │ │ ╰ [10]: https://www.cve.org/CVERecord?id=CVE-2024-45338
│ │ ├ PublishedDate : 2024-12-18T21:15:08.173Z
│ │ ╰ LastModifiedDate: 2024-12-31T20:16:06.603Z
│ ├ [1] ╭ VulnerabilityID : CVE-2024-45336
│ │ ├ PkgID : stdlib@v1.23.3
│ │ ├ PkgName : stdlib
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.3
│ │ │ ╰ UID : c32ee6844a95cf7d
│ │ ├ InstalledVersion: v1.23.3
│ │ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc.2
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45336
│ │ ├ DataSource ╭ ID : govulndb
│ │ │ ├ Name: The Go Vulnerability Database
│ │ │ ╰ URL : https://pkg.go.dev/vuln/
│ │ ├ Title : golang: net/http: net/http: sensitive headers incorrectly
│ │ │ sent after cross-domain redirect
│ │ ├ Description : The HTTP client drops sensitive headers after following a
│ │ │ cross-domain redirect. For example, a request to a.com/
│ │ │ containing an Authorization header which is redirected to
│ │ │ b.com/ will not send that header to b.com. In the event that
│ │ │ the client received a subsequent same-domain redirect,
│ │ │ however, the sensitive headers would be restored. For
│ │ │ example, a chain of redirects from a.com/, to b.com/1, and
│ │ │ finally to b.com/2 would incorrectly send the Authorization
│ │ │ header to b.com/2.
│ │ ├ Severity : MEDIUM
│ │ ├ VendorSeverity ╭ bitnami: 2
│ │ │ ╰ redhat : 2
│ │ ├ CVSS ╭ bitnami ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L
│ │ │ │ │ /A:N
│ │ │ │ ╰ V3Score : 6.1
│ │ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N
│ │ │ │ /A:N
│ │ │ ╰ V3Score : 5.9
│ │ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45336
│ │ │ ├ [1]: https://go.dev/cl/643100
│ │ │ ├ [2]: https://go.dev/issue/70530
│ │ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ │ bk9LAa-lCgAJ
│ │ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ │ G461hA6lCgAJ
│ │ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45336
│ │ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3420
│ │ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45336
│ │ ├ PublishedDate : 2025-01-28T02:15:28.807Z
│ │ ╰ LastModifiedDate: 2025-01-28T16:15:38.22Z
│ ├ [2] ╭ VulnerabilityID : CVE-2024-45341
│ │ ├ PkgID : stdlib@v1.23.3
│ │ ├ PkgName : stdlib
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.3
│ │ │ ╰ UID : c32ee6844a95cf7d
│ │ ├ InstalledVersion: v1.23.3
│ │ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc.2
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45341
│ │ ├ DataSource ╭ ID : govulndb
│ │ │ ├ Name: The Go Vulnerability Database
│ │ │ ╰ URL : https://pkg.go.dev/vuln/
│ │ ├ Title : golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can
│ │ │ bypass URI name constraints
│ │ ├ Description : A certificate with a URI which has a IPv6 address with a zone
│ │ │ ID may incorrectly satisfy a URI name constraint that
│ │ │ applies to the certificate chain. Certificates containing
│ │ │ URIs are not permitted in the web PKI, so this only affects
│ │ │ users of private PKIs which make use of URIs.
│ │ ├ Severity : MEDIUM
│ │ ├ VendorSeverity ╭ bitnami : 2
│ │ │ ├ cbl-mariner: 2
│ │ │ ╰ redhat : 1
│ │ ├ CVSS ╭ bitnami ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L
│ │ │ │ │ /A:N
│ │ │ │ ╰ V3Score : 6.1
│ │ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L
│ │ │ │ /A:N
│ │ │ ╰ V3Score : 4.2
│ │ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45341
│ │ │ ├ [1]: https://go.dev/cl/643099
│ │ │ ├ [2]: https://go.dev/issue/71156
│ │ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ │ bk9LAa-lCgAJ
│ │ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ │ G461hA6lCgAJ
│ │ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45341
│ │ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3373
│ │ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45341
│ │ ├ PublishedDate : 2025-01-28T02:15:29.147Z
│ │ ╰ LastModifiedDate: 2025-01-28T16:15:38.65Z
│ ╰ [3] ╭ VulnerabilityID : CVE-2025-22866
│ ├ PkgID : stdlib@v1.23.3
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.3
│ │ ╰ UID : c32ee6844a95cf7d
│ ├ InstalledVersion: v1.23.3
│ ├ FixedVersion : 1.22.12, 1.23.6, 1.24.0-rc.3
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-22866
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : crypto/internal/nistec: golang: Timing sidechannel for P-256
│ │ on ppc64le in crypto/internal/nistec
│ ├ Description : Due to the usage of a variable time instruction in the
│ │ assembly implementation of an internal function, a small
│ │ number of bits of secret scalars are leaked on the ppc64le
│ │ architecture. Due to the way this function is used, we do not
│ │ believe this leakage is enough to allow recovery of the
│ │ private key when P-256 is used in any well known protocols.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ─ redhat: 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/
│ │ │ A:N
│ │ ╰ V3Score : 5.3
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2025-22866
│ │ ├ [1]: https://go.dev/cl/643735
│ │ ├ [2]: https://go.dev/issue/71383
│ │ ├ [3]: https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
│ │ ├ [4]: https://nvd.nist.gov/vuln/detail/CVE-2025-22866
│ │ ├ [5]: https://pkg.go.dev/vuln/GO-2025-3447
│ │ ╰ [6]: https://www.cve.org/CVERecord?id=CVE-2025-22866
│ ├ PublishedDate : 2025-02-06T17:15:21.41Z
│ ╰ LastModifiedDate: 2025-02-10T21:15:22.477Z
├ [3] ╭ Target : usr/bin/ctr
│ ├ Class : lang-pkgs
│ ├ Type : gobinary
│ ╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2024-45338
│ │ ├ PkgID : golang.org/x/net@v0.30.0
│ │ ├ PkgName : golang.org/x/net
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/golang.org/x/net@v0.30.0
│ │ │ ╰ UID : 9c86bc80f39c3b9e
│ │ ├ InstalledVersion: v0.30.0
│ │ ├ FixedVersion : 0.33.0
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ SeveritySource : ghsa
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45338
│ │ ├ DataSource ╭ ID : ghsa
│ │ │ ├ Name: GitHub Security Advisory Go
│ │ │ ╰ URL : https://github.com/advisories?query=type%3Areviewed+ec
│ │ │ osystem%3Ago
│ │ ├ Title : golang.org/x/net/html: Non-linear parsing of case-insensitive
│ │ │ content in golang.org/x/net/html
│ │ ├ Description : An attacker can craft an input to the Parse functions that
│ │ │ would be processed non-linearly with respect to its length,
│ │ │ resulting in extremely slow parsing. This could cause a
│ │ │ denial of service.
│ │ ├ Severity : HIGH
│ │ ├ CweIDs ─ [0]: CWE-1333
│ │ ├ VendorSeverity ╭ amazon : 3
│ │ │ ├ azure : 3
│ │ │ ├ cbl-mariner: 3
│ │ │ ├ ghsa : 3
│ │ │ ├ redhat : 3
│ │ │ ╰ ubuntu : 2
│ │ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/
│ │ │ │ A:H
│ │ │ ╰ V3Score : 7.5
│ │ ├ References ╭ [0] : https://access.redhat.com/security/cve/CVE-2024-45338
│ │ │ ├ [1] : https://cs.opensource.google/go/x/net
│ │ │ ├ [2] : https://github.com/golang/go/issues/70906
│ │ │ ├ [3] : https://go-review.googlesource.com/c/net/+/637536
│ │ │ ├ [4] : https://go.dev/cl/637536
│ │ │ ├ [5] : https://go.dev/issue/70906
│ │ │ ├ [6] : https://groups.google.com/g/golang-announce/c/wSCRmFnN
│ │ │ │ mPA/m/Lvcd0mRMAwAJ
│ │ │ ├ [7] : https://nvd.nist.gov/vuln/detail/CVE-2024-45338
│ │ │ ├ [8] : https://pkg.go.dev/vuln/GO-2024-3333
│ │ │ ├ [9] : https://ubuntu.com/security/notices/USN-7197-1
│ │ │ ╰ [10]: https://www.cve.org/CVERecord?id=CVE-2024-45338
│ │ ├ PublishedDate : 2024-12-18T21:15:08.173Z
│ │ ╰ LastModifiedDate: 2024-12-31T20:16:06.603Z
│ ╰ [1] ╭ VulnerabilityID : CVE-2025-22866
│ ├ PkgID : stdlib@v1.23.5
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.5
│ │ ╰ UID : a2c766756f523e3
│ ├ InstalledVersion: v1.23.5
│ ├ FixedVersion : 1.22.12, 1.23.6, 1.24.0-rc.3
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-22866
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : crypto/internal/nistec: golang: Timing sidechannel for P-256
│ │ on ppc64le in crypto/internal/nistec
│ ├ Description : Due to the usage of a variable time instruction in the
│ │ assembly implementation of an internal function, a small
│ │ number of bits of secret scalars are leaked on the ppc64le
│ │ architecture. Due to the way this function is used, we do not
│ │ believe this leakage is enough to allow recovery of the
│ │ private key when P-256 is used in any well known protocols.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ─ redhat: 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/
│ │ │ A:N
│ │ ╰ V3Score : 5.3
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2025-22866
│ │ ├ [1]: https://go.dev/cl/643735
│ │ ├ [2]: https://go.dev/issue/71383
│ │ ├ [3]: https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
│ │ ├ [4]: https://nvd.nist.gov/vuln/detail/CVE-2025-22866
│ │ ├ [5]: https://pkg.go.dev/vuln/GO-2025-3447
│ │ ╰ [6]: https://www.cve.org/CVERecord?id=CVE-2025-22866
│ ├ PublishedDate : 2025-02-06T17:15:21.41Z
│ ╰ LastModifiedDate: 2025-02-10T21:15:22.477Z
├ [4] ╭ Target : usr/bin/dive
│ ├ Class : lang-pkgs
│ ├ Type : gobinary
│ ╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2024-45338
│ │ ├ PkgID : golang.org/x/net@v0.28.0
│ │ ├ PkgName : golang.org/x/net
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/golang.org/x/net@v0.28.0
│ │ │ ╰ UID : 2fe24708cb92b4b0
│ │ ├ InstalledVersion: v0.28.0
│ │ ├ FixedVersion : 0.33.0
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ SeveritySource : ghsa
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45338
│ │ ├ DataSource ╭ ID : ghsa
│ │ │ ├ Name: GitHub Security Advisory Go
│ │ │ ╰ URL : https://github.com/advisories?query=type%3Areviewed+ec
│ │ │ osystem%3Ago
│ │ ├ Title : golang.org/x/net/html: Non-linear parsing of case-insensitive
│ │ │ content in golang.org/x/net/html
│ │ ├ Description : An attacker can craft an input to the Parse functions that
│ │ │ would be processed non-linearly with respect to its length,
│ │ │ resulting in extremely slow parsing. This could cause a
│ │ │ denial of service.
│ │ ├ Severity : HIGH
│ │ ├ CweIDs ─ [0]: CWE-1333
│ │ ├ VendorSeverity ╭ amazon : 3
│ │ │ ├ azure : 3
│ │ │ ├ cbl-mariner: 3
│ │ │ ├ ghsa : 3
│ │ │ ├ redhat : 3
│ │ │ ╰ ubuntu : 2
│ │ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/
│ │ │ │ A:H
│ │ │ ╰ V3Score : 7.5
│ │ ├ References ╭ [0] : https://access.redhat.com/security/cve/CVE-2024-45338
│ │ │ ├ [1] : https://cs.opensource.google/go/x/net
│ │ │ ├ [2] : https://github.com/golang/go/issues/70906
│ │ │ ├ [3] : https://go-review.googlesource.com/c/net/+/637536
│ │ │ ├ [4] : https://go.dev/cl/637536
│ │ │ ├ [5] : https://go.dev/issue/70906
│ │ │ ├ [6] : https://groups.google.com/g/golang-announce/c/wSCRmFnN
│ │ │ │ mPA/m/Lvcd0mRMAwAJ
│ │ │ ├ [7] : https://nvd.nist.gov/vuln/detail/CVE-2024-45338
│ │ │ ├ [8] : https://pkg.go.dev/vuln/GO-2024-3333
│ │ │ ├ [9] : https://ubuntu.com/security/notices/USN-7197-1
│ │ │ ╰ [10]: https://www.cve.org/CVERecord?id=CVE-2024-45338
│ │ ├ PublishedDate : 2024-12-18T21:15:08.173Z
│ │ ╰ LastModifiedDate: 2024-12-31T20:16:06.603Z
│ ╰ [1] ╭ VulnerabilityID : CVE-2025-22866
│ ├ PkgID : stdlib@v1.23.5
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.5
│ │ ╰ UID : ab0a03fa0a13c8e8
│ ├ InstalledVersion: v1.23.5
│ ├ FixedVersion : 1.22.12, 1.23.6, 1.24.0-rc.3
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-22866
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : crypto/internal/nistec: golang: Timing sidechannel for P-256
│ │ on ppc64le in crypto/internal/nistec
│ ├ Description : Due to the usage of a variable time instruction in the
│ │ assembly implementation of an internal function, a small
│ │ number of bits of secret scalars are leaked on the ppc64le
│ │ architecture. Due to the way this function is used, we do not
│ │ believe this leakage is enough to allow recovery of the
│ │ private key when P-256 is used in any well known protocols.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ─ redhat: 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/
│ │ │ A:N
│ │ ╰ V3Score : 5.3
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2025-22866
│ │ ├ [1]: https://go.dev/cl/643735
│ │ ├ [2]: https://go.dev/issue/71383
│ │ ├ [3]: https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
│ │ ├ [4]: https://nvd.nist.gov/vuln/detail/CVE-2025-22866
│ │ ├ [5]: https://pkg.go.dev/vuln/GO-2025-3447
│ │ ╰ [6]: https://www.cve.org/CVERecord?id=CVE-2025-22866
│ ├ PublishedDate : 2025-02-06T17:15:21.41Z
│ ╰ LastModifiedDate: 2025-02-10T21:15:22.477Z
├ [5] ╭ Target : usr/bin/docker
│ ├ Class : lang-pkgs
│ ├ Type : gobinary
│ ╰ Vulnerabilities ─ [0] ╭ VulnerabilityID : CVE-2025-22866
│ ├ PkgID : stdlib@v1.23.5
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.5
│ │ ╰ UID : 568c622a46849cac
│ ├ InstalledVersion: v1.23.5
│ ├ FixedVersion : 1.22.12, 1.23.6, 1.24.0-rc.3
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-22866
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : crypto/internal/nistec: golang: Timing sidechannel for P-256
│ │ on ppc64le in crypto/internal/nistec
│ ├ Description : Due to the usage of a variable time instruction in the
│ │ assembly implementation of an internal function, a small
│ │ number of bits of secret scalars are leaked on the ppc64le
│ │ architecture. Due to the way this function is used, we do not
│ │ believe this leakage is enough to allow recovery of the
│ │ private key when P-256 is used in any well known protocols.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ─ redhat: 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/
│ │ │ A:N
│ │ ╰ V3Score : 5.3
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2025-22866
│ │ ├ [1]: https://go.dev/cl/643735
│ │ ├ [2]: https://go.dev/issue/71383
│ │ ├ [3]: https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
│ │ ├ [4]: https://nvd.nist.gov/vuln/detail/CVE-2025-22866
│ │ ├ [5]: https://pkg.go.dev/vuln/GO-2025-3447
│ │ ╰ [6]: https://www.cve.org/CVERecord?id=CVE-2025-22866
│ ├ PublishedDate : 2025-02-06T17:15:21.41Z
│ ╰ LastModifiedDate: 2025-02-10T21:15:22.477Z
├ [6] ╭ Target : usr/bin/helm
│ ├ Class : lang-pkgs
│ ├ Type : gobinary
│ ╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2024-45336
│ │ ├ PkgID : stdlib@v1.23.4
│ │ ├ PkgName : stdlib
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ │ │ ╰ UID : ad4de8aeb2324474
│ │ ├ InstalledVersion: v1.23.4
│ │ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc.2
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45336
│ │ ├ DataSource ╭ ID : govulndb
│ │ │ ├ Name: The Go Vulnerability Database
│ │ │ ╰ URL : https://pkg.go.dev/vuln/
│ │ ├ Title : golang: net/http: net/http: sensitive headers incorrectly
│ │ │ sent after cross-domain redirect
│ │ ├ Description : The HTTP client drops sensitive headers after following a
│ │ │ cross-domain redirect. For example, a request to a.com/
│ │ │ containing an Authorization header which is redirected to
│ │ │ b.com/ will not send that header to b.com. In the event that
│ │ │ the client received a subsequent same-domain redirect,
│ │ │ however, the sensitive headers would be restored. For
│ │ │ example, a chain of redirects from a.com/, to b.com/1, and
│ │ │ finally to b.com/2 would incorrectly send the Authorization
│ │ │ header to b.com/2.
│ │ ├ Severity : MEDIUM
│ │ ├ VendorSeverity ╭ bitnami: 2
│ │ │ ╰ redhat : 2
│ │ ├ CVSS ╭ bitnami ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L
│ │ │ │ │ /A:N
│ │ │ │ ╰ V3Score : 6.1
│ │ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N
│ │ │ │ /A:N
│ │ │ ╰ V3Score : 5.9
│ │ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45336
│ │ │ ├ [1]: https://go.dev/cl/643100
│ │ │ ├ [2]: https://go.dev/issue/70530
│ │ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ │ bk9LAa-lCgAJ
│ │ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ │ G461hA6lCgAJ
│ │ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45336
│ │ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3420
│ │ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45336
│ │ ├ PublishedDate : 2025-01-28T02:15:28.807Z
│ │ ╰ LastModifiedDate: 2025-01-28T16:15:38.22Z
│ ├ [1] ╭ VulnerabilityID : CVE-2024-45341
│ │ ├ PkgID : stdlib@v1.23.4
│ │ ├ PkgName : stdlib
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ │ │ ╰ UID : ad4de8aeb2324474
│ │ ├ InstalledVersion: v1.23.4
│ │ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc.2
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45341
│ │ ├ DataSource ╭ ID : govulndb
│ │ │ ├ Name: The Go Vulnerability Database
│ │ │ ╰ URL : https://pkg.go.dev/vuln/
│ │ ├ Title : golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can
│ │ │ bypass URI name constraints
│ │ ├ Description : A certificate with a URI which has a IPv6 address with a zone
│ │ │ ID may incorrectly satisfy a URI name constraint that
│ │ │ applies to the certificate chain. Certificates containing
│ │ │ URIs are not permitted in the web PKI, so this only affects
│ │ │ users of private PKIs which make use of URIs.
│ │ ├ Severity : MEDIUM
│ │ ├ VendorSeverity ╭ bitnami : 2
│ │ │ ├ cbl-mariner: 2
│ │ │ ╰ redhat : 1
│ │ ├ CVSS ╭ bitnami ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L
│ │ │ │ │ /A:N
│ │ │ │ ╰ V3Score : 6.1
│ │ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L
│ │ │ │ /A:N
│ │ │ ╰ V3Score : 4.2
│ │ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45341
│ │ │ ├ [1]: https://go.dev/cl/643099
│ │ │ ├ [2]: https://go.dev/issue/71156
│ │ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ │ bk9LAa-lCgAJ
│ │ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ │ G461hA6lCgAJ
│ │ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45341
│ │ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3373
│ │ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45341
│ │ ├ PublishedDate : 2025-01-28T02:15:29.147Z
│ │ ╰ LastModifiedDate: 2025-01-28T16:15:38.65Z
│ ╰ [2] ╭ VulnerabilityID : CVE-2025-22866
│ ├ PkgID : stdlib@v1.23.4
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ │ ╰ UID : ad4de8aeb2324474
│ ├ InstalledVersion: v1.23.4
│ ├ FixedVersion : 1.22.12, 1.23.6, 1.24.0-rc.3
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-22866
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : crypto/internal/nistec: golang: Timing sidechannel for P-256
│ │ on ppc64le in crypto/internal/nistec
│ ├ Description : Due to the usage of a variable time instruction in the
│ │ assembly implementation of an internal function, a small
│ │ number of bits of secret scalars are leaked on the ppc64le
│ │ architecture. Due to the way this function is used, we do not
│ │ believe this leakage is enough to allow recovery of the
│ │ private key when P-256 is used in any well known protocols.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ─ redhat: 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/
│ │ │ A:N
│ │ ╰ V3Score : 5.3
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2025-22866
│ │ ├ [1]: https://go.dev/cl/643735
│ │ ├ [2]: https://go.dev/issue/71383
│ │ ├ [3]: https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
│ │ ├ [4]: https://nvd.nist.gov/vuln/detail/CVE-2025-22866
│ │ ├ [5]: https://pkg.go.dev/vuln/GO-2025-3447
│ │ ╰ [6]: https://www.cve.org/CVERecord?id=CVE-2025-22866
│ ├ PublishedDate : 2025-02-06T17:15:21.41Z
│ ╰ LastModifiedDate: 2025-02-10T21:15:22.477Z
├ [7] ╭ Target : usr/bin/nerdctl
│ ├ Class : lang-pkgs
│ ├ Type : gobinary
│ ╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2024-45336
│ │ ├ PkgID : stdlib@v1.23.4
│ │ ├ PkgName : stdlib
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ │ │ ╰ UID : a2477af159b4ca1b
│ │ ├ InstalledVersion: v1.23.4
│ │ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc.2
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45336
│ │ ├ DataSource ╭ ID : govulndb
│ │ │ ├ Name: The Go Vulnerability Database
│ │ │ ╰ URL : https://pkg.go.dev/vuln/
│ │ ├ Title : golang: net/http: net/http: sensitive headers incorrectly
│ │ │ sent after cross-domain redirect
│ │ ├ Description : The HTTP client drops sensitive headers after following a
│ │ │ cross-domain redirect. For example, a request to a.com/
│ │ │ containing an Authorization header which is redirected to
│ │ │ b.com/ will not send that header to b.com. In the event that
│ │ │ the client received a subsequent same-domain redirect,
│ │ │ however, the sensitive headers would be restored. For
│ │ │ example, a chain of redirects from a.com/, to b.com/1, and
│ │ │ finally to b.com/2 would incorrectly send the Authorization
│ │ │ header to b.com/2.
│ │ ├ Severity : MEDIUM
│ │ ├ VendorSeverity ╭ bitnami: 2
│ │ │ ╰ redhat : 2
│ │ ├ CVSS ╭ bitnami ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L
│ │ │ │ │ /A:N
│ │ │ │ ╰ V3Score : 6.1
│ │ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N
│ │ │ │ /A:N
│ │ │ ╰ V3Score : 5.9
│ │ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45336
│ │ │ ├ [1]: https://go.dev/cl/643100
│ │ │ ├ [2]: https://go.dev/issue/70530
│ │ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ │ bk9LAa-lCgAJ
│ │ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ │ G461hA6lCgAJ
│ │ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45336
│ │ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3420
│ │ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45336
│ │ ├ PublishedDate : 2025-01-28T02:15:28.807Z
│ │ ╰ LastModifiedDate: 2025-01-28T16:15:38.22Z
│ ├ [1] ╭ VulnerabilityID : CVE-2024-45341
│ │ ├ PkgID : stdlib@v1.23.4
│ │ ├ PkgName : stdlib
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ │ │ ╰ UID : a2477af159b4ca1b
│ │ ├ InstalledVersion: v1.23.4
│ │ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc.2
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45341
│ │ ├ DataSource ╭ ID : govulndb
│ │ │ ├ Name: The Go Vulnerability Database
│ │ │ ╰ URL : https://pkg.go.dev/vuln/
│ │ ├ Title : golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can
│ │ │ bypass URI name constraints
│ │ ├ Description : A certificate with a URI which has a IPv6 address with a zone
│ │ │ ID may incorrectly satisfy a URI name constraint that
│ │ │ applies to the certificate chain. Certificates containing
│ │ │ URIs are not permitted in the web PKI, so this only affects
│ │ │ users of private PKIs which make use of URIs.
│ │ ├ Severity : MEDIUM
│ │ ├ VendorSeverity ╭ bitnami : 2
│ │ │ ├ cbl-mariner: 2
│ │ │ ╰ redhat : 1
│ │ ├ CVSS ╭ bitnami ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L
│ │ │ │ │ /A:N
│ │ │ │ ╰ V3Score : 6.1
│ │ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L
│ │ │ │ /A:N
│ │ │ ╰ V3Score : 4.2
│ │ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45341
│ │ │ ├ [1]: https://go.dev/cl/643099
│ │ │ ├ [2]: https://go.dev/issue/71156
│ │ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ │ bk9LAa-lCgAJ
│ │ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ │ G461hA6lCgAJ
│ │ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45341
│ │ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3373
│ │ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45341
│ │ ├ PublishedDate : 2025-01-28T02:15:29.147Z
│ │ ╰ LastModifiedDate: 2025-01-28T16:15:38.65Z
│ ╰ [2] ╭ VulnerabilityID : CVE-2025-22866
│ ├ PkgID : stdlib@v1.23.4
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ │ ╰ UID : a2477af159b4ca1b
│ ├ InstalledVersion: v1.23.4
│ ├ FixedVersion : 1.22.12, 1.23.6, 1.24.0-rc.3
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-22866
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : crypto/internal/nistec: golang: Timing sidechannel for P-256
│ │ on ppc64le in crypto/internal/nistec
│ ├ Description : Due to the usage of a variable time instruction in the
│ │ assembly implementation of an internal function, a small
│ │ number of bits of secret scalars are leaked on the ppc64le
│ │ architecture. Due to the way this function is used, we do not
│ │ believe this leakage is enough to allow recovery of the
│ │ private key when P-256 is used in any well known protocols.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ─ redhat: 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/
│ │ │ A:N
│ │ ╰ V3Score : 5.3
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2025-22866
│ │ ├ [1]: https://go.dev/cl/643735
│ │ ├ [2]: https://go.dev/issue/71383
│ │ ├ [3]: https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
│ │ ├ [4]: https://nvd.nist.gov/vuln/detail/CVE-2025-22866
│ │ ├ [5]: https://pkg.go.dev/vuln/GO-2025-3447
│ │ ╰ [6]: https://www.cve.org/CVERecord?id=CVE-2025-22866
│ ├ PublishedDate : 2025-02-06T17:15:21.41Z
│ ╰ LastModifiedDate: 2025-02-10T21:15:22.477Z
├ [8] ╭ Target : usr/bin/skopeo
│ ├ Class : lang-pkgs
│ ├ Type : gobinary
│ ╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2024-45337
│ │ ├ PkgID : golang.org/x/crypto@v0.29.0
│ │ ├ PkgName : golang.org/x/crypto
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/golang.org/x/crypto@v0.29.0
│ │ │ ╰ UID : aea5ecac33e8922e
│ │ ├ InstalledVersion: v0.29.0
│ │ ├ FixedVersion : 0.31.0
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ SeveritySource : ghsa
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45337
│ │ ├ DataSource ╭ ID : ghsa
│ │ │ ├ Name: GitHub Security Advisory Go
│ │ │ ╰ URL : https://github.com/advisories?query=type%3Areviewed+ec
│ │ │ osystem%3Ago
│ │ ├ Title : golang.org/x/crypto/ssh: Misuse of
│ │ │ ServerConfig.PublicKeyCallback may cause authorization bypass
│ │ │ in golang.org/x/crypto
│ │ ├ Description : Applications and libraries which misuse the
│ │ │ ServerConfig.PublicKeyCallback callback may be susceptible to
│ │ │ an authorization bypass. The documentation for
│ │ │ ServerConfig.PublicKeyCallback says that "A call to this
│ │ │ function does not guarantee that the key offered is in fact
│ │ │ used to authenticate." Specifically, the SSH protocol allows
│ │ │ clients to inquire about whether a public key is acceptable
│ │ │ before proving control of the corresponding private key.
│ │ │ PublicKeyCallback may be called with multiple keys, and the
│ │ │ order in which the keys were provided cannot be used to infer
│ │ │ which key the client successfully authenticated with, if
│ │ │ any. Some applications, which store the key(s) passed to
│ │ │ PublicKeyCallback (or derived information) and make security
│ │ │ relevant determinations based on it once the connection is
│ │ │ established, may make incorrect assumptions. For example, an
│ │ │ attacker may send public keys A and B, and then authenticate
│ │ │ with A. PublicKeyCallback would be called only twice, first
│ │ │ with A and then with B. A vulnerable application may then
│ │ │ make authorization decisions based on key B for which the
│ │ │ attacker does not actually control the private key. Since
│ │ │ this API is widely misused, as a partial mitigation
│ │ │ golang.org/x/cry...@v0.31.0 enforces the property that, when
│ │ │ successfully authenticating via public key, the last key
│ │ │ passed to ServerConfig.PublicKeyCallback will be the key used
│ │ │ to authenticate the connection. PublicKeyCallback will now
│ │ │ be called multiple times with the same key, if necessary.
│ │ │ Note that the client may still not control the last key
│ │ │ passed to PublicKeyCallback if the connection is then
│ │ │ authenticated with a different method, such as
│ │ │ PasswordCallback, KeyboardInteractiveCallback, or
│ │ │ NoClientAuth. Users should be using the Extensions field of
│ │ │ the Permissions return value from the various authentication
│ │ │ callbacks to record data associated with the authentication
│ │ │ attempt instead of referencing external state. Once the
│ │ │ connection is established the state corresponding to the
│ │ │ successful authentication attempt can be retrieved via the
│ │ │ ServerConn.Permissions field. Note that some third-party
│ │ │ libraries misuse the Permissions type by sharing it across
│ │ │ authentication attempts; users of third-party libraries
│ │ │ should refer to the relevant projects for guidance.
│ │ ├ Severity : CRITICAL
│ │ ├ VendorSeverity ╭ amazon : 3
│ │ │ ├ azure : 4
│ │ │ ├ cbl-mariner: 4
│ │ │ ├ ghsa : 4
│ │ │ ╰ redhat : 3
│ │ ├ CVSS ╭ ghsa ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/
│ │ │ │ │ A:N
│ │ │ │ ╰ V3Score : 9.1
│ │ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/
│ │ │ │ A:N
│ │ │ ╰ V3Score : 8.2
│ │ ├ References ╭ [0] : http://www.openwall.com/lists/oss-security/2024/12/11/2
│ │ │ ├ [1] : https://access.redhat.com/security/cve/CVE-2024-45337
│ │ │ ├ [2] : https://github.com/golang/crypto
│ │ │ ├ [3] : https://github.com/golang/crypto/commit/b4f1988a35dee1
│ │ │ │ 1ec3e05d6bf3e90b695fbd8909
│ │ │ ├ [4] : https://go.dev/cl/635315
│ │ │ ├ [5] : https://go.dev/issue/70779
│ │ │ ├ [6] : https://groups.google.com/g/golang-announce/c/-nPEi39g
│ │ │ │ I4Q/m/cGVPJCqdAQAJ
│ │ │ ├ [7] : https://nvd.nist.gov/vuln/detail/CVE-2024-45337
│ │ │ ├ [8] : https://pkg.go.dev/vuln/GO-2024-3321
│ │ │ ├ [9] : https://security.netapp.com/advisory/ntap-20250131-0007
│ │ │ ├ [10]: https://security.netapp.com/advisory/ntap-20250131-0007/
│ │ │ ╰ [11]: https://www.cve.org/CVERecord?id=CVE-2024-45337
│ │ ├ PublishedDate : 2024-12-12T02:02:07.97Z
│ │ ╰ LastModifiedDate: 2025-01-31T15:15:13.19Z
│ ├ [1] ╭ VulnerabilityID : CVE-2024-45338
│ │ ├ PkgID : golang.org/x/net@v0.30.0
│ │ ├ PkgName : golang.org/x/net
│ │ ├ PkgIdentifier ╭ PURL: pkg:golang/golang.org/x/net@v0.30.0
│ │ │ ╰ UID : 784c3887fb930124
│ │ ├ InstalledVersion: v0.30.0
│ │ ├ FixedVersion : 0.33.0
│ │ ├ Status : fixed
│ │ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ │ fe935202ee09b74937d
│ │ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ │ 885bee677ce5feea9ac
│ │ ├ SeveritySource : ghsa
│ │ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45338
│ │ ├ DataSource ╭ ID : ghsa
│ │ │ ├ Name: GitHub Security Advisory Go
│ │ │ ╰ URL : https://github.com/advisories?query=type%3Areviewed+ec
│ │ │ osystem%3Ago
│ │ ├ Title : golang.org/x/net/html: Non-linear parsing of case-insensitive
│ │ │ content in golang.org/x/net/html
│ │ ├ Description : An attacker can craft an input to the Parse functions that
│ │ │ would be processed non-linearly with respect to its length,
│ │ │ resulting in extremely slow parsing. This could cause a
│ │ │ denial of service.
│ │ ├ Severity : HIGH
│ │ ├ CweIDs ─ [0]: CWE-1333
│ │ ├ VendorSeverity ╭ amazon : 3
│ │ │ ├ azure : 3
│ │ │ ├ cbl-mariner: 3
│ │ │ ├ ghsa : 3
│ │ │ ├ redhat : 3
│ │ │ ╰ ubuntu : 2
│ │ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/
│ │ │ │ A:H
│ │ │ ╰ V3Score : 7.5
│ │ ├ References ╭ [0] : https://access.redhat.com/security/cve/CVE-2024-45338
│ │ │ ├ [1] : https://cs.opensource.google/go/x/net
│ │ │ ├ [2] : https://github.com/golang/go/issues/70906
│ │ │ ├ [3] : https://go-review.googlesource.com/c/net/+/637536
│ │ │ ├ [4] : https://go.dev/cl/637536
│ │ │ ├ [5] : https://go.dev/issue/70906
│ │ │ ├ [6] : https://groups.google.com/g/golang-announce/c/wSCRmFnN
│ │ │ │ mPA/m/Lvcd0mRMAwAJ
│ │ │ ├ [7] : https://nvd.nist.gov/vuln/detail/CVE-2024-45338
│ │ │ ├ [8] : https://pkg.go.dev/vuln/GO-2024-3333
│ │ │ ├ [9] : https://ubuntu.com/security/notices/USN-7197-1
│ │ │ ╰ [10]: https://www.cve.org/CVERecord?id=CVE-2024-45338
│ │ ├ PublishedDate : 2024-12-18T21:15:08.173Z
│ │ ╰ LastModifiedDate: 2024-12-31T20:16:06.603Z
│ ╰ [2] ╭ VulnerabilityID : CVE-2025-22866
│ ├ PkgID : stdlib@v1.23.5
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.5
│ │ ╰ UID : 5c64c79833b98c81
│ ├ InstalledVersion: v1.23.5
│ ├ FixedVersion : 1.22.12, 1.23.6, 1.24.0-rc.3
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-22866
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : crypto/internal/nistec: golang: Timing sidechannel for P-256
│ │ on ppc64le in crypto/internal/nistec
│ ├ Description : Due to the usage of a variable time instruction in the
│ │ assembly implementation of an internal function, a small
│ │ number of bits of secret scalars are leaked on the ppc64le
│ │ architecture. Due to the way this function is used, we do not
│ │ believe this leakage is enough to allow recovery of the
│ │ private key when P-256 is used in any well known protocols.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ─ redhat: 2
│ ├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/
│ │ │ A:N
│ │ ╰ V3Score : 5.3
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2025-22866
│ │ ├ [1]: https://go.dev/cl/643735
│ │ ├ [2]: https://go.dev/issue/71383
│ │ ├ [3]: https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
│ │ ├ [4]: https://nvd.nist.gov/vuln/detail/CVE-2025-22866
│ │ ├ [5]: https://pkg.go.dev/vuln/GO-2025-3447
│ │ ╰ [6]: https://www.cve.org/CVERecord?id=CVE-2025-22866
│ ├ PublishedDate : 2025-02-06T17:15:21.41Z
│ ╰ LastModifiedDate: 2025-02-10T21:15:22.477Z
╰ [9] ╭ Target : usr/bin/syft
├ Class : lang-pkgs
├ Type : gobinary
╰ Vulnerabilities ╭ [0] ╭ VulnerabilityID : CVE-2024-45336
│ ├ PkgID : stdlib@v1.23.4
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ │ ╰ UID : 41c223d59c4dbf4f
│ ├ InstalledVersion: v1.23.4
│ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc.2
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45336
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : golang: net/http: net/http: sensitive headers incorrectly
│ │ sent after cross-domain redirect
│ ├ Description : The HTTP client drops sensitive headers after following a
│ │ cross-domain redirect. For example, a request to a.com/
│ │ containing an Authorization header which is redirected to
│ │ b.com/ will not send that header to b.com. In the event that
│ │ the client received a subsequent same-domain redirect,
│ │ however, the sensitive headers would be restored. For
│ │ example, a chain of redirects from a.com/, to b.com/1, and
│ │ finally to b.com/2 would incorrectly send the Authorization
│ │ header to b.com/2.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ╭ bitnami: 2
│ │ ╰ redhat : 2
│ ├ CVSS ╭ bitnami ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L
│ │ │ │ /A:N
│ │ │ ╰ V3Score : 6.1
│ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N
│ │ │ /A:N
│ │ ╰ V3Score : 5.9
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45336
│ │ ├ [1]: https://go.dev/cl/643100
│ │ ├ [2]: https://go.dev/issue/70530
│ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ bk9LAa-lCgAJ
│ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ G461hA6lCgAJ
│ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45336
│ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3420
│ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45336
│ ├ PublishedDate : 2025-01-28T02:15:28.807Z
│ ╰ LastModifiedDate: 2025-01-28T16:15:38.22Z
├ [1] ╭ VulnerabilityID : CVE-2024-45341
│ ├ PkgID : stdlib@v1.23.4
│ ├ PkgName : stdlib
│ ├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ │ ╰ UID : 41c223d59c4dbf4f
│ ├ InstalledVersion: v1.23.4
│ ├ FixedVersion : 1.22.11, 1.23.5, 1.24.0-rc.2
│ ├ Status : fixed
│ ├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ │ fe935202ee09b74937d
│ │ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ │ 885bee677ce5feea9ac
│ ├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2024-45341
│ ├ DataSource ╭ ID : govulndb
│ │ ├ Name: The Go Vulnerability Database
│ │ ╰ URL : https://pkg.go.dev/vuln/
│ ├ Title : golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can
│ │ bypass URI name constraints
│ ├ Description : A certificate with a URI which has a IPv6 address with a zone
│ │ ID may incorrectly satisfy a URI name constraint that
│ │ applies to the certificate chain. Certificates containing
│ │ URIs are not permitted in the web PKI, so this only affects
│ │ users of private PKIs which make use of URIs.
│ ├ Severity : MEDIUM
│ ├ VendorSeverity ╭ bitnami : 2
│ │ ├ cbl-mariner: 2
│ │ ╰ redhat : 1
│ ├ CVSS ╭ bitnami ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L
│ │ │ │ /A:N
│ │ │ ╰ V3Score : 6.1
│ │ ╰ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L
│ │ │ /A:N
│ │ ╰ V3Score : 4.2
│ ├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2024-45341
│ │ ├ [1]: https://go.dev/cl/643099
│ │ ├ [2]: https://go.dev/issue/71156
│ │ ├ [3]: https://groups.google.com/g/golang-dev/c/CAWXhan3Jww/m/
│ │ │ bk9LAa-lCgAJ
│ │ ├ [4]: https://groups.google.com/g/golang-dev/c/bG8cv1muIBM/m/
│ │ │ G461hA6lCgAJ
│ │ ├ [5]: https://nvd.nist.gov/vuln/detail/CVE-2024-45341
│ │ ├ [6]: https://pkg.go.dev/vuln/GO-2025-3373
│ │ ╰ [7]: https://www.cve.org/CVERecord?id=CVE-2024-45341
│ ├ PublishedDate : 2025-01-28T02:15:29.147Z
│ ╰ LastModifiedDate: 2025-01-28T16:15:38.65Z
╰ [2] ╭ VulnerabilityID : CVE-2025-22866
├ PkgID : stdlib@v1.23.4
├ PkgName : stdlib
├ PkgIdentifier ╭ PURL: pkg:golang/stdlib@v1.23.4
│ ╰ UID : 41c223d59c4dbf4f
├ InstalledVersion: v1.23.4
├ FixedVersion : 1.22.12, 1.23.6, 1.24.0-rc.3
├ Status : fixed
├ Layer ╭ Digest: sha256:67745f33db87269d29b3cec8a6ee9ff37466af991b8e3
│ │ fe935202ee09b74937d
│ ╰ DiffID: sha256:a56dd5b884f421b1a1ddd57dafd3f97b066e4a94b0eea
│ 885bee677ce5feea9ac
├ PrimaryURL : https://avd.aquasec.com/nvd/cve-2025-22866
├ DataSource ╭ ID : govulndb
│ ├ Name: The Go Vulnerability Database
│ ╰ URL : https://pkg.go.dev/vuln/
├ Title : crypto/internal/nistec: golang: Timing sidechannel for P-256
│ on ppc64le in crypto/internal/nistec
├ Description : Due to the usage of a variable time instruction in the
│ assembly implementation of an internal function, a small
│ number of bits of secret scalars are leaked on the ppc64le
│ architecture. Due to the way this function is used, we do not
│ believe this leakage is enough to allow recovery of the
│ private key when P-256 is used in any well known protocols.
├ Severity : MEDIUM
├ VendorSeverity ─ redhat: 2
├ CVSS ─ redhat ╭ V3Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/
│ │ A:N
│ ╰ V3Score : 5.3
├ References ╭ [0]: https://access.redhat.com/security/cve/CVE-2025-22866
│ ├ [1]: https://go.dev/cl/643735
│ ├ [2]: https://go.dev/issue/71383
│ ├ [3]: https://groups.google.com/g/golang-announce/c/xU1ZCHUZw3k
│ ├ [4]: https://nvd.nist.gov/vuln/detail/CVE-2025-22866
│ ├ [5]: https://pkg.go.dev/vuln/GO-2025-3447
│ ╰ [6]: https://www.cve.org/CVERecord?id=CVE-2025-22866
├ PublishedDate : 2025-02-06T17:15:21.41Z
╰ LastModifiedDate: 2025-02-10T21:15:22.477Z