docs/snyk/master/ghcr.io_dexidp_dex_v2.45.0.html
critical severity
Exploit: Not Defined
Note: _Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Alpine._See How to fix? for Alpine:3.23 relevant fixed versions and status.
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.
Upgrade Alpine:3.23 zlib to version 1.3.2-r0 or higher.
high severity
Exploit: Not Defined
Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.
Note: This vulnerability is only exploitable on MacOS/Darwin systems.
Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.
medium severity
Exploit: Not Defined
Note: _Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by Alpine._See How to fix? for Alpine:3.23 relevant fixed versions and status.
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
Upgrade Alpine:3.23 zlib to version 1.3.2-r0 or higher.
medium severity
Exploit: Not Defined
golang.org/x/net/http2 is a work-in-progress HTTP/2 implementation for Go.
Affected versions of this package are vulnerable to Uncaught Exception due to missing nil check. An attacker can cause the server to panic and potentially disrupt service by sending specially crafted HTTP/2 frames with values between 0x0a and 0x0f.
Upgrade golang.org/x/net/http2 to version 0.51.0 or higher.
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
MPL-2.0 license
medium severity
Exploit: Not Defined
Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.
This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.
Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.