CVE-2025-30204 affecting package dcos-cli for versions less than 1.2.0-24

CVE-2025-30204 affecting package dcos-cli for versions less than 1.2.0-24. A patched version of the package is available...

GHSA-R2RV-8PP3-65XW spmrc vulnerable to prototype pollution

spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service DoS as the minimum...

AZL-60537 CVE-2025-22872 affecting package kubevirt for versions less than 1.2.0-17

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...

AZL-57369 CVE-2025-22869 affecting package kubevirt for versions less than 1.2.0-15

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted...

AZL-54333 CVE-2024-45337 affecting package kubevirt for versions less than 1.2.0-11

Applications and libraries which misuse connection.serverAuthenticate via callback field ServerConfig.PublicKeyCallback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is...

AZL-35879 CVE-2024-28180 affecting package dcos-cli for versions less than 1.2.0-16

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if t...

AZL-34905 CVE-2024-21626 affecting package kubevirt for versions less than 1.2.0-1

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process from runc exec to have a working directory in the host filesystem...

AZL-34907 CVE-2023-3978 affecting package kubevirt for versions less than 1.2.0-1

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

AZL-34908 CVE-2022-41723 affecting package kubevirt for versions less than 1.2.0-1

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests...