Vulnerability Reports

CVE-2024-10975, GHSA-2w5v-x29g-jw7j
Affects: github.com/hashicorp/nomad
Published: Nov 08, 2024
Unreviewed

Hashicorp Nomad Incorrect Authorization vulnerability in github.com/hashicorp/nomad

CVE-2024-45794, GHSA-q78v-cv36-8fxj
Affects: github.com/devtron-labs/devtron
Published: Nov 08, 2024
Unreviewed

Devtron has SQL Injection in CreateUser API in github.com/devtron-labs/devtron

CVE-2024-51735, GHSA-wvv7-wm5v-w2gv
Affects: github.com/j3ssie/osmedeus
Published: Nov 06, 2024
Unreviewed

Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE in github.com/j3ssie/osmedeus

CVE-2024-48057, GHSA-ghx4-cgxw-7h9p
Affects: github.com/mudler/LocalAI
Published: Nov 06, 2024
Unreviewed

LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI

CVE-2024-51746, GHSA-8pmp-678w-c8xx
Affects: github.com/sigstore/gitsign
Published: Nov 06, 2024
Unreviewed

gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign

CVE-2024-10389, GHSA-q3rp-vvm7-j8jg
Affects: github.com/google/safearchive
Published: Nov 06, 2024
Unreviewed

Safearchive Path Traversal vulnerability in github.com/google/safearchive

CVE-2024-51744, GHSA-29wx-vh33-7x7r
Affects: github.com/golang-jwt/jwt/v4
Published: Nov 12, 2024
Modified: Nov 12, 2024

Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt

CVE-2024-8185, GHSA-g233-2p4r-3q7v
Affects: github.com/hashicorp/vault
Published: Nov 01, 2024
Unreviewed

Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault

CVE-2024-39720
Affects: github.com/ollama/ollama
Published: Nov 01, 2024
Unreviewed

CVE-2024-39720 in github.com/ollama/ollama

CVE-2024-50354, GHSA-cph5-3pgr-c82g
Affects: github.com/consensys/gnark
Published: Nov 01, 2024

Gnark out-of-memory during deserialization with crafted inputs in github.com/consensys/gnark

CVE-2024-10005, GHSA-chgm-7r52-whjj
Affects: github.com/hashicorp/consul
Published: Nov 04, 2024
Unreviewed

Hashicorp Consul Path Traversal vulnerability in github.com/hashicorp/consul

CVE-2024-10086, GHSA-99wr-c2px-grmh
Affects: github.com/hashicorp/consul
Published: Nov 04, 2024
Unreviewed

Hashicorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul

CVE-2024-10006, GHSA-5c4w-8hhh-3c3h
Affects: github.com/hashicorp/consul
Published: Nov 04, 2024
Unreviewed

Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability in github.com/hashicorp/consul

CVE-2024-10452, GHSA-66c4-2g2v-54qw
Affects: github.com/grafana/grafana
Published: Nov 04, 2024
Unreviewed

Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

CVE-2024-0132, GHSA-mjjw-553x-87pq
Affects: github.com/NVIDIA/nvidia-container-toolkit
Published: Nov 04, 2024
Unreviewed

NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability in github.com/NVIDIA/nvidia-container-toolkit

CVE-2024-0133, GHSA-f748-7hpg-88ch
Affects: github.com/NVIDIA/nvidia-container-toolkit
Published: Nov 04, 2024
Unreviewed

NVIDIA Container Toolkit allows specially crafted container image to create empty files on the host file system in github.com/NVIDIA/nvidia-container-toolkit

CVE-2024-50052, GHSA-g376-m3h3-mj4r
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Nov 04, 2024
Unreviewed

Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server

CVE-2024-47401, GHSA-762v-rq7q-ff97
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Nov 04, 2024
Unreviewed

Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server

CVE-2024-46872, GHSA-762g-9p7f-mrww
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Nov 04, 2024
Unreviewed

Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server

CVE-2024-10241, GHSA-6mvp-gh77-7vwh
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Oct 30, 2024
Unreviewed

Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server

CVE-2024-48921, GHSA-qjvc-p88j-j9rm
Affects: github.com/kyverno/kyverno
Published: Oct 30, 2024
Unreviewed

Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

GHSA-wcx9-ccpj-hx3c
Affects: github.com/coder/coder, github.com/coder/coder/v2
Published: Oct 30, 2024
Unreviewed

Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder

CVE-2024-10214, GHSA-hm57-h27x-599c
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Oct 30, 2024
Unreviewed

Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server

CVE-2024-47827, GHSA-ghjw-32xw-ffwr
Affects: github.com/argoproj/argo-workflows, github.com/argoproj/argo-workflows/v2, and 1 more
Published: Oct 30, 2024
Unreviewed

Argo Workflows Controller: Denial of Service via malicious daemon Workflows in github.com/argoproj/argo-workflows

CVE-2024-39223, GHSA-8wxx-35qc-vp6r
Affects: github.com/ginuerzh/gost
Published: Oct 28, 2024
Unreviewed

Missing key verification in gost in github.com/ginuerzh/gost

CVE-2022-45157, GHSA-xj7w-r753-vj8v
Affects: github.com/rancher/rancher
Published: Oct 28, 2024
Unreviewed

Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.8.9, from v2.9.0 before v2.9.3.

GHSA-x7xj-jvwp-97rv
Affects: github.com/rancher/rke2
Published: Oct 28, 2024
Unreviewed

RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rke2. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rke2 from v1.27.0 before v1.27.15, from v1.28.0 before v1.28.11, from v1.29.0 before v1.29.6, from v1.30.0 before v1.30.2.

CVE-2024-22036, GHSA-h99m-6755-rgwc
Affects: github.com/rancher/rancher
Published: Oct 28, 2024
Unreviewed

Rancher Remote Code Execution via Cluster/Node Drivers in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.16, from v2.8.0 before v2.8.9, from v2.9.0 before v2.9.3.

CVE-2023-32197, GHSA-7h8m-pvw3-5gh4
Affects: github.com/rancher/rancher
Published: Oct 28, 2024
Unreviewed

Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.8.9, from v2.9.0 before v2.9.3.

GHSA-7h65-4p22-39j6
Affects: github.com/crossplane/crossplane
Published: Oct 28, 2024
Unreviewed

github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

CVE-2024-49757, GHSA-3rmw-76m6-4gjc
Affects: github.com/zitadel/zitadel
Published: Oct 28, 2024
Unreviewed

User Registration Bypass in Zitadel in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.58.7, from v2.59.0 before v2.59.5, from v2.60.0 before v2.60.4, from v2.61.0 before v2.61.4, from v2.62.0 before v2.62.7, from v2.63.0 before v2.63.5.

CVE-2024-49753, GHSA-6cf5-w9h3-4rqv
Affects: github.com/zitadel/zitadel
Published: Oct 28, 2024
Unreviewed

Denied Host Validation Bypass in Zitadel Actions in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.58.7, from v2.59.0 before v2.59.5, from v2.60.0 before v2.60.4, from v2.61.0 before v2.61.4, from v2.62.0 before v2.62.8, from v2.63.0 before v2.63.6, from v2.64.0 before v2.64.1.

CVE-2024-9264, GHSA-q99m-qcv4-fpm7
Affects: github.com/grafana/grafana
Published: Oct 28, 2024
Unreviewed

Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v11.0.0 before v11.0.6+security-01, from v11.1.0 before v11.1.7+security-01, from v11.2.0 before v11.2.2+security-01.

CVE-2024-49381
Affects: github.com/plentico/plenti
Published: Oct 28, 2024
Unreviewed

Plenti arbitrary file deletion vulnerability in github.com/plentico/plenti

CVE-2024-49380
Affects: github.com/plentico/plenti
Published: Oct 28, 2024
Unreviewed

Plenti arbitrary file write vulnerability in github.com/plentico/plenti

GHSA-rjfv-pjvx-mjgv
Affects: sigs.k8s.io/aws-load-balancer-controller
Published: Oct 28, 2024
Unreviewed

AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers in sigs.k8s.io/aws-load-balancer-controller. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: sigs.k8s.io/aws-load-balancer-controller from v2.0.0 before v2.8.2.

CVE-2024-50312
Affects: github.com/openshift/console
Published: Oct 28, 2024
Unreviewed

Graphql: information disclosure via graphql introspection in openshift in github.com/openshift/console

CVE-2024-8901
Affects: github.com/awslabs/aws-alb-route-directive-adapter-for-istio
Published: Oct 28, 2024
Unreviewed

Lack of JWT issuer and signer validation in github.com/awslabs/aws-alb-route-directive-adapter-for-istio

CVE-2024-47825, GHSA-3wwx-63fv-pfq6
Affects: github.com/cilium/cilium
Published: Oct 28, 2024
Unreviewed

Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium

GHSA-p5wf-cmr4-xrwr
Affects: github.com/facebookincubator/tacquito
Published: Oct 28, 2024
Unreviewed

Permissive Regular Expression in tacquito in github.com/facebookincubator/tacquito

CVE-2024-9594
Affects: github.com/kubernetes-sigs/image-builder
Published: Oct 17, 2024
Unreviewed

VM images built with Image Builder with some providers use default credentials during builds in github.com/kubernetes-sigs/image-builder

CVE-2024-9486
Affects: github.com/kubernetes-sigs/image-builder
Published: Oct 17, 2024
Unreviewed

VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder

CVE-2023-22644
Affects: github.com/neuvector/neuvector
Published: Oct 15, 2024
Unreviewed

JWT token compromise can allow malicious actions including Remote Code Execution (RCE) in github.com/neuvector/neuvector

CVE-2024-48909, GHSA-3c32-4hq9-6wgj
Affects: github.com/authzed/spicedb
Published: Oct 15, 2024
Unreviewed

SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not in github.com/authzed/spicedb

GHSA-vv6c-69r6-chg9
Affects: github.com/landlock-lsm/go-landlock
Published: Oct 15, 2024
Unreviewed

Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly in github.com/landlock-lsm/go-landlock. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

CVE-2024-47877, GHSA-8rm2-93mq-jqhc
Affects: github.com/codeclysm/extract, github.com/codeclysm/extract/v3, and 1 more
Published: Oct 15, 2024
Unreviewed

Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory. in github.com/codeclysm/extract

CVE-2024-9180, GHSA-rr8j-7w34-xp5j
Affects: github.com/hashicorp/vault
Published: Oct 11, 2024
Unreviewed

Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault

CVE-2024-47067, GHSA-8pph-gfhp-w226
Affects: github.com/alist-org/alist, github.com/alist-org/alist/v3
Published: Oct 11, 2024
Unreviewed

Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist

CVE-2024-38365, GHSA-27vh-h6mc-q6g8
Affects: github.com/btcsuite/btcd
Published: Oct 15, 2024
Modified: Oct 17, 2024

The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.

CVE-2024-9312, GHSA-4gfw-wf7c-w6g2
Affects: github.com/ubuntu/authd
Published: Oct 11, 2024
Unreviewed

Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd

CVE-2024-9675, GHSA-586p-749j-fhwp
Affects: github.com/containers/buildah
Published: Oct 11, 2024
Unreviewed

Buildah allows arbitrary directory mount in github.com/containers/buildah

CVE-2024-47832
Affects: github.com/ssoready/ssoready
Published: Oct 11, 2024
Unreviewed

XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready

CVE-2024-36814, GHSA-9cp9-8gw2-8v7m
Affects: github.com/AdguardTeam/AdGuardHome
Published: Oct 11, 2024
Unreviewed

Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome

GHSA-wpr2-j6gr-pjw9
Affects: github.com/opentofu/opentofu
Published: Oct 09, 2024
Unreviewed

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu

CVE-2024-9313, GHSA-x5q3-c8rm-w787
Affects: github.com/ubuntu/authd
Published: Oct 09, 2024
Unreviewed

PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/ubuntu/authd before v0.0.0-20240930103526-63e527496b01.

CVE-2024-47616, GHSA-r7rh-jww5-5fjr
Affects: github.com/pomerium/pomerium
Published: Oct 09, 2024
Unreviewed

Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

CVE-2024-8038, GHSA-xwgj-vpm9-q2rq
Affects: github.com/juju/juju
Published: Oct 09, 2024
Unreviewed

Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju before v0.0.0-20240829052008-43f0fc59790d.

CVE-2024-8037, GHSA-8v4w-f4r9-7h6x
Affects: github.com/juju/juju
Published: Oct 09, 2024
Unreviewed

Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju

CVE-2024-7558, GHSA-mh98-763h-m9v4
Affects: github.com/juju/juju
Published: Oct 09, 2024
Unreviewed

JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju

CVE-2024-33662, GHSA-9mjw-79r6-c9m8
Affects: github.com/portainer/portainer
Published: Oct 09, 2024
Unreviewed

Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/portainer/portainer before v2.20.2.

CVE-2024-9341, GHSA-mc76-5925-c5p6
Affects: github.com/containers/common
Published: Oct 14, 2024
Unreviewed

Link Following in github.com/containers/common

CVE-2024-8996, GHSA-m5gv-m5f9-wgv4
Affects: github.com/grafana/agent
Published: Oct 09, 2024
Unreviewed

Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/agent

CVE-2024-9407, GHSA-fhqq-8f65-5xfc
Affects: github.com/containers/buildah, github.com/containers/podman, and 4 more
Published: Oct 09, 2024
Unreviewed

Improper Input Validation in Buildah and Podman in github.com/containers/buildah

CVE-2024-8975, GHSA-chqx-36rm-rf8h
Affects: github.com/grafana/alloy
Published: Oct 09, 2024
Unreviewed

Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy

CVE-2024-9355, GHSA-3h3x-2hwv-hr52
Affects: github.com/golang-fips/openssl
Published: Oct 09, 2024
Modified: Nov 05, 2024

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

CVE-2024-47534, GHSA-4f8r-qqr9-fq8j
Affects: github.com/theupdateframework/go-tuf/v2
Published: Oct 09, 2024
Modified: Oct 14, 2024
Unreviewed

Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

CVE-2024-47003, GHSA-59hf-mpf8-pqjh
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Oct 10, 2024
Unreviewed

Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server

CVE-2024-47182
Affects: github.com/amir20/dozzle
Published: Oct 09, 2024
Unreviewed

Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/amir20/dozzle before v8.5.3.

CVE-2024-7594, GHSA-jg74-mwgw-v6x3
Affects: github.com/hashicorp/vault
Published: Oct 09, 2024
Unreviewed

Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault

CVE-2024-22030, GHSA-h4h5-9833-v2p4
Affects: github.com/rancher/rancher
Published: Oct 09, 2024
Unreviewed

Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.15, from v2.8.0 before v2.8.8, from v2.9.0 before v2.9.2.

CVE-2024-45042, GHSA-wc43-73w7-x2f5
Affects: github.com/ory/kratos
Published: Sep 26, 2024
Unreviewed

Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos

CVE-2024-40761, GHSA-48cr-j2cx-mcr8
Affects: github.com/apache/incubator-answer
Published: Sep 26, 2024
Unreviewed

Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer

CVE-2024-46957, GHSA-98hf-m87w-cq6h
Affects: mellium.im/xmpp
Published: Sep 26, 2024
Unreviewed

Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp

CVE-2024-47219
Affects: github.com/vesoft-inc/nebula
Published: Sep 26, 2024
Unreviewed

CVE-2024-47219 in github.com/vesoft-inc/nebula

CVE-2024-47218
Affects: github.com/vesoft-inc/nebula
Published: Sep 26, 2024
Unreviewed

CVE-2024-47218 in github.com/vesoft-inc/nebula

CVE-2024-47062, GHSA-58vj-cv5w-v4v6
Affects: github.com/navidrome/navidrome
Published: Sep 26, 2024
Unreviewed

Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome

CVE-2024-8260, GHSA-c77r-fh37-x2px
Affects: github.com/open-policy-agent/opa
Published: Sep 20, 2024

OPA for Windows has an SMB force-authentication vulnerability. Due to improper input validation, it allows a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

CVE-2024-47000, GHSA-qr2h-7pwm-h393
Affects: github.com/zitadel/zitadel
Published: Sep 26, 2024
Unreviewed

ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

CVE-2024-47060, GHSA-jj94-6f5c-65r8
Affects: github.com/zitadel/zitadel
Published: Sep 26, 2024
Unreviewed

ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

CVE-2024-46999, GHSA-2w5j-qfvw-2hf5
Affects: github.com/zitadel/zitadel
Published: Sep 26, 2024
Unreviewed

ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

CVE-2023-27584, GHSA-hpc8-7wpm-889w
Affects: d7y.io/dragonfly/v2
Published: Sep 26, 2024
Unreviewed

Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly

CVE-2024-45410, GHSA-62c8-mh53-4cqv
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Sep 26, 2024
Unreviewed

HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik

CVE-2023-30464, GHSA-h92q-fgpp-qhrq
Affects: github.com/coredns/coredns
Published: Sep 25, 2024
Modified: Sep 26, 2024

CoreDNS enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.

CVE-2023-47105, GHSA-723h-x37g-f8qm
Affects: github.com/chaosblade-io/chaosblade
Published: Sep 25, 2024
Unreviewed

Chaosblade vulnerable to OS command execution in github.com/chaosblade-io/chaosblade

CVE-2024-46989, GHSA-jhg6-6qrx-38mr
Affects: github.com/authzed/spicedb
Published: Sep 25, 2024
Unreviewed

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb

CVE-2023-28452, GHSA-hfmw-7g3m-gj6q
Affects: github.com/coredns/coredns
Published: Sep 25, 2024
Unreviewed

CoreDNS vulnerable to TuDoor Attacks in github.com/coredns/coredns

CVE-2024-7387, GHSA-qqv8-ph7f-h3f7
Affects: github.com/openshift/builder
Published: Sep 18, 2024
Unreviewed

OpenShift Builder has a path traversal, allows command injection in privileged BuildContainer in github.com/openshift/builder

CVE-2024-45496, GHSA-j8gh-87rx-c7w9
Affects: github.com/openshift/openshift-controller-manager
Published: Sep 18, 2024
Unreviewed

OpenShift Controller Manager Improper Privilege Management in github.com/openshift/openshift-controller-manager. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/openshift/openshift-controller-manager before v0.0.0-alpha.0.0.20240911.

CVE-2024-45041, GHSA-qwgc-rr35-h4x9
Affects: github.com/external-secrets/external-secrets
Published: Sep 13, 2024
Unreviewed

External Secrets Operator vulnerable to privilege escalation in github.com/external-secrets/external-secrets

CVE-2024-8572, GHSA-pv7h-hg6m-82j8
Affects: github.com/gouniverse/cms
Published: Sep 13, 2024
Unreviewed

Gouniverse GoLang CMS vulnerable to Cross-site Scripting in github.com/gouniverse/cms

CVE-2023-46565, GHSA-6rqv-5cg7-m4x3
Affects: github.com/osrg/gobgp/v3
Published: Sep 17, 2024

Buffer Overflow vulnerability allows a remote attacker to cause a denial of service via an fsm error handling function.

CVE-2024-45040, GHSA-9xcg-3q8v-7fq6
Affects: github.com/consensys/gnark
Published: Sep 13, 2024

Commitments to private witnesses in Groth16 as implemented break zero-knowledge property in github.com/consensys/gnark

GHSA-7q74-g774-7x3g
Affects: github.com/cosmos/interchain-security, github.com/cosmos/interchain-security/v2, and 3 more
Published: Sep 06, 2024
Unreviewed

Interchain Security: The signers of ICS messages do not need to match the provider address in github.com/cosmos/interchain-security

CVE-2024-45401, GHSA-fv4g-gwpj-74gr
Affects: github.com/stripe/stripe-cli
Published: Sep 06, 2024
Unreviewed

Path traversal vulnerability in stripe-cli in github.com/stripe/stripe-cli

CVE-2024-8462
Affects: github.com/windmill-labs/windmill
Published: Sep 06, 2024
Unreviewed

Windmill HTTP Request users.rs excessive authentication in github.com/windmill-labs/windmill

CVE-2024-45395, GHSA-cq38-jh5f-37mq
Affects: github.com/sigstore/sigstore-go
Published: Sep 06, 2024
Unreviewed

sigstore-go has an unbounded loop over untrusted input can lead to endless data attack in github.com/sigstore/sigstore-go

CVE-2024-43405, GHSA-7h5p-mmpp-hgmm
Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
Published: Sep 06, 2024
Unreviewed

Nuclei Template Signature Verification Bypass in github.com/projectdiscovery/nuclei

CVE-2024-8365, GHSA-jjxf-26c9-77gm
Affects: github.com/hashicorp/vault
Published: Sep 06, 2024
Unreviewed

Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault

GHSA-g5xx-c4hv-9ccc
Affects: github.com/cometbft/cometbft
Published: Sep 13, 2024

CometBFT's state syncing validator from malicious node may lead to a chain split github.com/cometbft/cometbft

CVE-2024-45310, GHSA-jfvp-7x6p-h2pv
Affects: github.com/opencontainers/runc
Published: Sep 06, 2024
Unreviewed

runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc

CVE-2024-45388, GHSA-6xx4-x46f-f897
Affects: github.com/SpectoLabs/hoverfly
Published: Sep 06, 2024
Unreviewed

Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly

CVE-2024-34158
Affects: go/build/constraint
Published: Sep 06, 2024

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

CVE-2024-34156
Affects: encoding/gob
Published: Sep 06, 2024

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

CVE-2024-34155
Affects: go/parser
Published: Sep 06, 2024

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

CVE-2024-45436, GHSA-846m-99qv-67mg
Affects: github.com/ollama/ollama
Published: Aug 30, 2024
Unreviewed

Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama

CVE-2024-45054, GHSA-mgwr-h7mv-fh29
Affects: github.com/hwameistor/hwameistor
Published: Aug 30, 2024
Unreviewed

Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor

CVE-2024-45043, GHSA-prf6-xjxh-p698
Affects: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver
Published: Aug 30, 2024
Unreviewed

OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver

CVE-2024-43798, GHSA-38jh-8h67-m7mj
Affects: github.com/jpillora/chisel
Published: Aug 30, 2024
Unreviewed

Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel

CVE-2024-45244, GHSA-48gg-32q2-4r6m
Affects: github.com/hyperledger/fabric
Published: Aug 30, 2024
Unreviewed

Hyperledger Fabric does not verify request has a timestamp within the expected time window in github.com/hyperledger/fabric

CVE-2024-45258, GHSA-cj55-gc7m-wvcq
Affects: github.com/imroc/req, github.com/imroc/req/v2, and 1 more
Published: Sep 13, 2024

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests. Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).

CVE-2024-40886, GHSA-hrf9-rm95-fpf3
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 30, 2024
Unreviewed

Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server

CVE-2024-39836, GHSA-c6vp-jjgv-38wj
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 30, 2024
Unreviewed

Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server

CVE-2024-43105, GHSA-869f-px86-vj84
Affects: github.com/mattermost/mattermost-plugin-channel-export
Published: Aug 30, 2024
Unreviewed

Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export

CVE-2024-8071, GHSA-5263-pm2h-m7hw
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 30, 2024
Unreviewed

Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server

CVE-2024-32939, GHSA-4ww8-fprq-cq34
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 30, 2024
Unreviewed

Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server

CVE-2024-39777, GHSA-q22q-2rrf-m27p
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 30, 2024
Unreviewed

Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server

CVE-2024-42497, GHSA-fxq9-6946-34q7
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 30, 2024
Unreviewed

Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server

CVE-2024-40884, GHSA-3j95-8g47-fpwh
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 30, 2024
Unreviewed

Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server

CVE-2024-43780, GHSA-2jhx-w3vc-w59g
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 30, 2024
Unreviewed

Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server

CVE-2024-41659, GHSA-p4fx-qf2h-jpmj
Affects: github.com/usememos/memos
Published: Aug 30, 2024
Unreviewed

memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos

CVE-2024-41657, GHSA-mchx-7j67-8mcf
Affects: github.com/casdoor/casdoor
Published: Aug 30, 2024
Unreviewed

Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor

CVE-2024-41658, GHSA-gv2p-4mvg-g32h
Affects: github.com/casdoor/casdoor
Published: Aug 30, 2024
Unreviewed

Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor

CVE-2024-42490, GHSA-qxqc-27pr-wgc8
Affects: goauthentik.io
Published: Aug 30, 2024
Unreviewed

GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: goauthentik.io before v2024.4.4, from v2024.6.0-rc1 before v2024.6.4.

CVE-2024-6508, GHSA-4crf-28c7-v4gr
Affects: github.com/openshift/console
Published: Aug 30, 2024
Unreviewed

Openshift Console insufficient entropy vulnerability in github.com/openshift/console

GHSA-g8w7-7vgg-x7xg
Affects: github.com/CosmWasm/wasmd
Published: Aug 30, 2024
Unreviewed

CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd

GHSA-fpgj-cr28-fvpx
Affects: github.com/CosmWasm/wasmd
Published: Aug 30, 2024
Unreviewed

CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd

CVE-2024-43403, GHSA-h27c-6xm3-mcqp
Affects: github.com/kanisterio/kanister
Published: Aug 22, 2024
Unreviewed

Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister

CVE-2024-6322, GHSA-hh8p-374f-qgr5
Affects: github.com/grafana/grafana
Published: Aug 22, 2024
Unreviewed

Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v11.1.0 before v11.1.1, from v11.1.2 before v11.1.3.

CVE-2024-43406, GHSA-r5ph-4jxm-6j9p
Affects: github.com/lf-edge/ekuiper
Published: Aug 22, 2024
Unreviewed

LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper

CVE-2024-39690, GHSA-mq69-4j5w-3qwp
Affects: github.com/projectcapsule/capsule
Published: Aug 22, 2024
Unreviewed

Capsule tenant owner with "patch namespace" permission can hijack system namespaces in github.com/projectcapsule/capsule

CVE-2024-43379, GHSA-3r74-v83p-f4f4
Affects: github.com/trufflesecurity/trufflehog, github.com/trufflesecurity/trufflehog/v3
Published: Aug 22, 2024
Unreviewed

Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog

CVE-2024-7646
Affects: github.com/kubernetes/ingress-nginx
Published: Aug 19, 2024
Unreviewed

CVE-2024-7646 in github.com/kubernetes/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/kubernetes/ingress-nginx before v1.11.2.

CVE-2024-42486, GHSA-vwf8-q6fw-4wcm
Affects: github.com/cilium/cilium
Published: Aug 19, 2024
Unreviewed

Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium

CVE-2024-7625, GHSA-25qx-vfw2-fw8r
Affects: github.com/hashicorp/nomad
Published: Aug 19, 2024
Unreviewed

Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/nomad from v0.6.1 before v1.6.14, from v1.7.0 before v1.7.11, from v1.8.0 before v1.8.3.

CVE-2024-42488, GHSA-q7w8-72mr-vpgw
Affects: github.com/cilium/cilium
Published: Aug 16, 2024
Unreviewed

Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

CVE-2024-42487, GHSA-qcm3-7879-xcww
Affects: github.com/cilium/cilium
Published: Aug 16, 2024
Unreviewed

Gateway API route matching order contradicts specification in github.com/cilium/cilium

CVE-2024-32231, GHSA-75jf-52jg-qqh4
Affects: github.com/stashapp/stash
Published: Aug 16, 2024
Modified: Aug 19, 2024
Unreviewed

SQL injection in github.com/stashapp/stash

GHSA-83qr-9v2h-qxp4
Affects: github.com/cosmos/gaia/v14, github.com/cosmos/gaia/v15, and 2 more
Published: Aug 19, 2024
Unreviewed

Missing check for the height of cryptographic equivocation evidence in github.com/cosmos/gaia

CVE-2024-42368, GHSA-rfxf-mf63-cpqv
Affects: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension
Published: Aug 13, 2024
Modified: Aug 19, 2024
Unreviewed

open-telemetry has an Observable Timing Discrepancy in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension

CVE-2024-41888, GHSA-v3x9-wrq5-868j
Affects: github.com/apache/incubator-answer
Published: Aug 13, 2024
Unreviewed

Apache Answer: The link for resetting user password is not Single-Use in github.com/apache/incubator-answer

CVE-2024-41890, GHSA-gvpv-r32v-9737
Affects: github.com/apache/incubator-answer
Published: Aug 13, 2024
Unreviewed

Apache Answer: The link to reset the user's password will remain valid after sending a new link in github.com/apache/incubator-answer

CVE-2024-42480, GHSA-6r4j-4rjc-8vw5
Affects: github.com/clastix/kamaji
Published: Aug 13, 2024
Unreviewed

RBAC Roles for `etcd` created by Kamaji are not disjunct in github.com/clastix/kamaji

CVE-2024-42473, GHSA-3f6g-m4hr-59h8
Affects: github.com/openfga/openfga
Published: Aug 13, 2024
Modified: Aug 15, 2024
Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

GHSA-m3rh-cvr5-x6q4
Affects: github.com/CosmWasm/wasmd
Published: Aug 13, 2024
Unreviewed

CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd

CVE-2024-41270, GHSA-p3pf-mff8-3h47
Affects: github.com/appleboy/gorush
Published: Aug 19, 2024

An issue in the RunHTTPServer function in Gorush allows attackers to intercept and manipulate data due to the use of a deprecated TLS version.

CVE-2024-41260, GHSA-9v35-4xcr-w9ph
Affects: github.com/netbirdio/netbird
Published: Aug 13, 2024
Unreviewed

NetBird uses a static initialization vector (IV) in github.com/netbirdio/netbird

CVE-2024-6886, GHSA-4h4p-553m-46qh
Affects: code.gitea.io/gitea
Published: Aug 06, 2024
Unreviewed

Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea

CVE-2024-29191, GHSA-wv8x-3w6r-6h7v
Affects: github.com/AlexxIT/go2rtc
Published: Aug 06, 2024
Unreviewed

gotortc Cross-site Scripting vulnerability in github.com/AlexxIT/go2rtc

CVE-2024-29026, GHSA-v99w-r56h-g23v
Affects: github.com/owncast/owncast
Published: Aug 06, 2024
Unreviewed

Owncast Cross-Site Request Forgery vulnerability in github.com/owncast/owncast

CVE-2024-29193, GHSA-rh4r-f7f7-r99m
Affects: github.com/AlexxIT/go2rtc
Published: Aug 06, 2024
Unreviewed

gotortc Cross-site Scripting vulnerability in github.com/AlexxIT/go2rtc

CVE-2024-29192, GHSA-qgj8-g9q4-7f2p
Affects: github.com/AlexxIT/go2rtc
Published: Aug 06, 2024
Unreviewed

gotortc vulnerable to Cross-Site Request Forgery in github.com/AlexxIT/go2rtc

CVE-2024-35182, GHSA-h7cm-jvpp-69xf
Affects: github.com/layer5io/meshery
Published: Aug 06, 2024
Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/layer5io/meshery before v0.7.22.

CVE-2024-35181, GHSA-9f24-jrv4-f8g5
Affects: github.com/layer5io/meshery
Published: Aug 06, 2024
Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/layer5io/meshery before v0.7.22.

CVE-2024-29029, GHSA-9cqm-mgv9-vv9j
Affects: github.com/usememos/memos
Published: Aug 06, 2024
Unreviewed

memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos

CVE-2023-48703, GHSA-6h53-q94j-348w
Affects: github.com/RobotsAndPencils/go-saml
Published: Aug 06, 2024
Unreviewed

RobotsAndPencils go-saml authentication bypass vulnerability in github.com/RobotsAndPencils/go-saml

CVE-2024-29028, GHSA-6fcf-g3mp-xj2x
Affects: github.com/usememos/memos
Published: Aug 06, 2024
Unreviewed

memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta in github.com/usememos/memos

CVE-2024-29030, GHSA-65fm-2jgr-j7qq
Affects: github.com/usememos/memos
Published: Aug 06, 2024
Unreviewed

memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos

CVE-2024-29031, GHSA-652r-q29p-m25h
Affects: github.com/layer5io/meshery
Published: Aug 06, 2024
Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery

CVE-2023-26494, GHSA-5fwq-9x7j-2qpg
Affects: go.thethings.network/lorawan-stack, go.thethings.network/lorawan-stack/v3
Published: Aug 06, 2024
Unreviewed

lorawan-stack Open Redirect vulnerability in go.thethings.network/lorawan-stack

CVE-2024-3056, GHSA-rpcc-p8xm-rc6p
Affects: github.com/containers/podman, github.com/containers/podman/v2, and 3 more
Published: Aug 06, 2024
Unreviewed

Podman vulnerable to memory-based denial of service in github.com/containers/podman

GHSA-6vjm-54vp-mxhx
Affects: github.com/juju/juju
Published: Aug 06, 2024
Unreviewed

Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju before v2.9.50, from v3.0.0 before v3.1.9, from v3.2.0 before v3.3.6, from v3.4.0 before v3.4.5, from v3.5.0 before v3.5.3.

CVE-2024-41820, GHSA-3wfj-3x8q-hrpg
Affects: github.com/kubean-io/kubean
Published: Aug 06, 2024
Modified: Aug 19, 2024
Unreviewed

Kubean vulnerable to cluster-level privilege escalation in github.com/kubean-io/kubean

GHSA-qv35-3gw6-8q4j
Affects: github.com/regclient/regclient
Published: Aug 06, 2024
Unreviewed

In regclient, pinned manifest digests may be ignored in github.com/regclient/regclient

CVE-2024-37286, GHSA-f6cj-4h3g-hwq4
Affects: github.com/elastic/apm-server
Published: Aug 06, 2024
Unreviewed

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/elastic/apm-server before v8.14.0.

CVE-2024-41265, GHSA-vw7g-3cc7-7rmh
Affects: github.com/cortexproject/cortex
Published: Aug 06, 2024
Unreviewed

cortex establishes TLS connections with `InsecureSkipVerify` set to `true` in github.com/cortexproject/cortex

CVE-2024-41256, GHSA-mpvx-whpp-99xj
Affects: github.com/mickael-kerjean/filestash
Published: Aug 06, 2024
Unreviewed

Filestash skips TLS certificate verification process when sending out email verification codes in github.com/mickael-kerjean/filestash

CVE-2024-36533, GHSA-5g3x-8g2v-r8x8
Affects: volcano.sh/volcano
Published: Aug 06, 2024
Unreviewed

Volcano has insecure permissions in volcano.sh/volcano

CVE-2024-41255, GHSA-4jmm-c6jw-g796
Affects: github.com/mickael-kerjean/filestash
Published: Aug 06, 2024
Modified: Aug 19, 2024
Unreviewed

Filestash configured to skip TLS certificate verification when using the FTPS protocol in github.com/mickael-kerjean/filestash

CVE-2024-39837, GHSA-vvpg-55p7-5h8w
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server

CVE-2024-41162, GHSA-jr9x-3x7m-4j75
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server

CVE-2024-29977, GHSA-jq3g-xqpx-37x3
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server

CVE-2024-41259, GHSA-hrmx-8jjv-g758
Affects: github.com/navidrome/navidrome
Published: Aug 06, 2024
Unreviewed

Navidrome uses MD5 hashing algorithm in github.com/navidrome/navidrome

CVE-2024-39274, GHSA-cmc8-222c-vqp9
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server

CVE-2024-36536, GHSA-c9cm-5j82-m6pj
Affects: github.com/fabedge/fabedge
Published: Aug 06, 2024
Unreviewed

fabedge has insecure permissions in github.com/fabedge/fabedge

CVE-2024-41264, GHSA-67fw-w8f2-88wp
Affects: github.com/casdoor/casdoor
Published: Aug 06, 2024
Unreviewed

casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification in github.com/casdoor/casdoor

CVE-2024-36492, GHSA-56mc-f9w7-2wxq
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server

CVE-2024-39839, GHSA-vg6q-84p8-qvqh
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server

CVE-2024-41144, GHSA-vg67-chm7-8m3j
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server

CVE-2024-41926, GHSA-9fpw-c9x7-cv3j
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server

CVE-2024-39832, GHSA-762m-4cx6-6mf4
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Aug 06, 2024
Unreviewed

Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server

CVE-2024-41956, GHSA-m445-w3xr-vp2f
Affects: github.com/charmbracelet/soft-serve
Published: Aug 06, 2024
Unreviewed

soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests in github.com/charmbracelet/soft-serve

CVE-2024-40464, GHSA-r6qh-j42j-pw64
Affects: github.com/beego/beego/v2
Published: Aug 19, 2024

Beego privilege escalation vulnerability via sendMail in github.com/beego/beego/v2

CVE-2024-41953, GHSA-v333-7h2p-5fhv
Affects: github.com/zitadel/zitadel
Published: Aug 06, 2024
Unreviewed

ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.52.0 before v2.52.3, from v2.53.0 before v2.53.9, from v2.54.0 before v2.54.8, from v2.55.0 before v2.55.5, from v2.56.0 before v2.56.2, from v2.57.0 before v2.57.1, from v2.58.0 before v2.58.1.

CVE-2024-41952, GHSA-567v-6hmg-6qg7
Affects: github.com/zitadel/zitadel
Published: Aug 06, 2024
Unreviewed

ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.53.0 before v2.53.9, from v2.54.0 before v2.54.8, from v2.55.0 before v2.55.5, from v2.56.0 before v2.56.2, from v2.57.0 before v2.57.1, from v2.58.0 before v2.58.1.

CVE-2024-22278, GHSA-hw28-333w-qxp3
Affects: github.com/goharbor/harbor
Published: Aug 06, 2024
Unreviewed

Harbor fails to validate the user permissions when updating project configurations in github.com/goharbor/harbor

Affects: github.com/PromonLogicalis/asn1
Published: Jul 31, 2024

Version 7bdca06d0edf of the github.com/PromonLogicalis/asn1 module contains malicious code which downloads a program from a remote web server and executes it.

GHSA-wm25-j4gw-6vr3
Affects: github.com/prest/prest
Published: Aug 06, 2024
Unreviewed

pREST vulnerable to jwt bypass + sql injection in github.com/prest/prest

CVE-2024-6984
Affects: github.com/juju/juju
Published: Aug 06, 2024
Unreviewed

CVE-2024-6984 in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju from v2.9.0 before v2.9.50, from v3.1.0 before v3.1.9, from v3.3.0 before v3.3.5, from v3.4.0 before v3.4.5, from v3.5.0 before v3.5.3.

CVE-2024-29069, GHSA-69p6-gp5x-j269
Affects: github.com/snapcore/snapd
Published: Aug 06, 2024
Unreviewed

snapd failed to properly check the destination of symbolic links when extracting a snap in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

CVE-2024-29068, GHSA-64jh-cjwc-w8q6
Affects: github.com/snapcore/snapd
Published: Aug 06, 2024
Unreviewed

snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

CVE-2024-1724, GHSA-4mh8-9689-38vr
Affects: github.com/snapcore/snapd
Published: Aug 06, 2024
Unreviewed

snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

CVE-2024-41666, GHSA-v8wx-v5jq-qhhw
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 06, 2024
Unreviewed

The Argo CD web terminal session does not handle the revocation of user permissions properly in github.com/argoproj/argo-cd

CVE-2024-41110
Affects: github.com/moby/moby, github.com/docker/docker
Published: Jul 29, 2024

Moby authz zero length regression in github.com/moby/moby

CVE-2024-40634, GHSA-jmvp-698c-4x3w
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 06, 2024
Unreviewed

Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

CVE-2024-41121, GHSA-xw35-rrcp-g7xm
Affects: go.woodpecker-ci.org/woodpecker, go.woodpecker-ci.org/woodpecker/v2
Published: Aug 06, 2024
Unreviewed

Woodpecker's custom workspace allow to overwrite plugin entrypoint executable in go.woodpecker-ci.org/woodpecker

CVE-2024-41122, GHSA-3wf2-2pq4-4rvc
Affects: go.woodpecker-ci.org/woodpecker, go.woodpecker-ci.org/woodpecker/v2
Published: Aug 06, 2024
Unreviewed

Woodpecker's custom environment variables allow to alter execution flow of plugins in go.woodpecker-ci.org/woodpecker

CVE-2024-21583
Affects: github.com/gitpod-io/gitpod, github.com/gitpod-io/gitpod/components/server/go, and 2 more
Published: Jul 22, 2024
Modified: Sep 06, 2024
Unreviewed

CVE-2024-21583 in github.com/gitpod-io/gitpod. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/gitpod-io/gitpod before v0.1.5-main-gha.27122; github.com/gitpod-io/gitpod/components/server/go before main-gha.27122; github.com/gitpod-io/gitpod/components/ws-proxy before main-gha.27122; github.com/gitpod-io/gitpod/install/installer before main-gha.27122.

CVE-2024-21527
Affects: github.com/gotenberg/gotenberg/v7, github.com/gotenberg/gotenberg/v8
Published: Jul 22, 2024
Unreviewed

CVE-2024-21527 in github.com/gotenberg/gotenberg

CVE-2024-5321, GHSA-82m2-cv7p-4m75
Affects: k8s.io/kubernetes
Published: Jul 22, 2024
Unreviewed

Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

CVE-2024-41111, GHSA-hc5w-gxxr-w8x8
Affects: github.com/bishopfox/sliver
Published: Jul 22, 2024
Modified: Aug 19, 2024
Unreviewed

Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/bishopfox/sliver before v1.6.0.

CVE-2024-39911
Affects: github.com/1Panel-dev/1Panel
Published: Jul 22, 2024
Unreviewed

1Panel SQL injection in github.com/1Panel-dev/1Panel

CVE-2024-39907, GHSA-5grx-v727-qmq6
Affects: github.com/1Panel-dev/1Panel
Published: Jul 22, 2024
Unreviewed

1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.12-tls.

CVE-2024-40641, GHSA-c3q9-c27p-cw9h
Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
Published: Jul 22, 2024
Unreviewed

projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei

CVE-2024-6535, GHSA-w799-v85j-88pg
Affects: github.com/skupperproject/skupper
Published: Jul 22, 2024
Modified: Aug 19, 2024
Unreviewed

Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper

CVE-2024-40632
Affects: github.com/linkerd/linkerd2
Published: Jul 22, 2024

Linkerd potential access to the shutdown endpoint in github.com/linkerd/linkerd2

CVE-2024-6468, GHSA-2qmw-pvf7-4mw6
Affects: github.com/hashicorp/vault
Published: Jul 12, 2024
Modified: Aug 19, 2024
Unreviewed

Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/vault before v1.15.12.

CVE-2024-39909, GHSA-5248-h45p-9pgw
Affects: github.com/openclarity/kubeclarity/backend
Published: Jul 12, 2024
Modified: Aug 19, 2024
Unreviewed

SQL Injection in the KubeClarity REST API in github.com/openclarity/kubeclarity/backend

CVE-2022-29946, GHSA-2h2x-8hh2-mfq8
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, and 1 more
Published: Jul 12, 2024
Unreviewed

NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server

CVE-2024-39897, GHSA-55r9-5mx9-qq7r
Affects: zotregistry.dev/zot, zotregistry.io/zot
Published: Jul 10, 2024
Modified: Sep 06, 2024
Unreviewed

Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: zotregistry.dev/zot before v2.1.0; zotregistry.io/zot before v2.1.0.

GHSA-xr7q-jx4m-x55m
Affects: google.golang.org/grpc
Published: Jul 09, 2024

If applications print or log a context containing gRPC metadata, the output will contain all the metadata, which may include private information. This represents a potential PII concern.

CVE-2024-6284, GHSA-qjvf-8748-9w7h
Affects: github.com/google/nftables
Published: Jul 09, 2024

IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which did not work as intended (might block or not block the desired addresses).

CVE-2024-39696, GHSA-q6hg-6m9x-5g9c
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 17 more
Published: Jul 09, 2024
Modified: Jul 29, 2024
Unreviewed

Evmos vulnerable to exploit of smart contract account and vesting in github.com/evmos/evmos

CVE-2024-39321, GHSA-gxrv-wf35-62w9
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Jul 09, 2024
Unreviewed

Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik

CVE-2024-39933, GHSA-8mm6-wmpp-mmm3
Affects: github.com/gogs/gogs
Published: Jul 09, 2024
Modified: Aug 19, 2024
Unreviewed

Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs

CVE-2024-39932, GHSA-hf29-9hfh-w63j
Affects: github.com/gogs/gogs
Published: Jul 09, 2024
Unreviewed

Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs

CVE-2024-39931, GHSA-2vgj-3pvg-xh4w
Affects: github.com/gogs/gogs
Published: Jul 09, 2024
Unreviewed

Gogs allows deletion of internal files in github.com/gogs/gogs

CVE-2024-39930, GHSA-p69r-v3h4-rj4f
Affects: github.com/gogs/gogs
Published: Jul 09, 2024
Modified: Jul 29, 2024
Unreviewed

github.com/gogs/gogs affected by CVE-2024-39930

CVE-2024-39683, GHSA-cvw9-c57h-3397
Affects: github.com/zitadel/zitadel
Published: Jul 09, 2024
Unreviewed

ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.0.0 before v2.53.8, from v2.54.0 before v2.54.5, from v2.55.0 before v2.55.1.

CVE-2024-39315, GHSA-rrqr-7w59-637v
Affects: github.com/pomerium/pomerium
Published: Jul 03, 2024
Modified: Jul 29, 2024
Unreviewed

Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

CVE-2024-24791
Affects: net/http
Published: Jul 02, 2024

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

CVE-2023-24531
Affects: cmd/go
Published: Jul 02, 2024

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

CVE-2022-30636
Affects: golang.org/x/crypto
Published: Jul 02, 2024

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

CVE-2024-38513, GHSA-98j2-3j3p-fw2v
Affects: github.com/gofiber/fiber, github.com/gofiber/fiber/v2
Published: Jul 02, 2024

Session Middleware Token Injection Vulnerability in github.com/gofiber/fiber

CVE-2024-37298, GHSA-3669-72x9-r9p3
Affects: github.com/gorilla/schema
Published: Jul 02, 2024

Potential memory exhaustion attack due to sparse slice deserialization in github.com/gorilla/schema

CVE-2019-25211, GHSA-869c-j7wc-8jqv
Affects: github.com/gin-contrib/cors
Published: Jul 02, 2024

Gin-Gonic CORS middleware mishandles a wildcard at the end of an origin string. Examples: https://example.community/* is accepted by the origin string https://example.com/* and http://localhost.example.com/* is accepted by the origin string http://localhost/* .

GHSA-hg58-rf2h-6rr7
Affects: github.com/cometbft/cometbft
Published: Jul 02, 2024

A malicious peer can cause a syncing node to panic during blocksync. The syncing node may enter into a catastrophic invalid syncing state or get stuck in blocksync mode, never switching to consensus. Nodes that are vulnerable to this state may experience a Denial of Service condition in which syncing will not work as expected when joining a network as a client.

CVE-2024-6257, GHSA-xfhp-jf8p-mh5w
Affects: github.com/hashicorp/go-getter
Published: Jun 28, 2024

A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

CVE-2024-6104, GHSA-v6v8-xj6m-xwqh
Affects: github.com/hashicorp/go-retryablehttp
Published: Jun 25, 2024

URLs were not sanitized when writing them to log files. This could lead to writing sensitive HTTP basic auth credentials to the log file.

CVE-2024-38359, GHSA-9gxx-58q6-42p7
Affects: github.com/lightningnetwork/lnd
Published: Jul 01, 2024
Unreviewed

Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service in github.com/lightningnetwork/lnd

GHSA-rvj4-q8q5-8grf
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Jun 28, 2024
Unreviewed

ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/traefik/traefik

CVE-2024-37897, GHSA-hw5f-6wvv-xcrh
Affects: github.com/drakkan/sftpgo, github.com/drakkan/sftpgo/v2
Published: Jun 28, 2024
Unreviewed

SFTPGo has insufficient access control for password reset in github.com/drakkan/sftpgo

CVE-2024-38361, GHSA-grjv-gjgr-66g2
Affects: github.com/authzed/spicedb
Published: Jun 28, 2024
Unreviewed

SpiceDB exclusions can result in no permission returned when permission expected in github.com/authzed/spicedb

CVE-2024-5182, GHSA-cpcx-r2gq-x893
Affects: github.com/go-skynet/LocalAI
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/go-skynet/LocalAI before v2.16.0.

CVE-2024-24792, GHSA-9phm-fm57-rhg8
Affects: golang.org/x/image
Published: Jun 25, 2024
Modified: Jun 26, 2024

Parsing a corrupt or malicious image with invalid color indices can cause a panic.

CVE-2024-38351, GHSA-m93w-4fxv-r35v
Affects: github.com/pocketbase/pocketbase
Published: Jul 01, 2024

PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase

CVE-2024-37904, GHSA-hpcg-xjq5-g666
Affects: github.com/stacklok/minder
Published: Jun 28, 2024
Unreviewed

Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder

CVE-2024-5899
Affects: github.com/bazelbuild/intellij
Published: Jun 28, 2024
Unreviewed

Improper trust check in Bazel Build intellij plugin in github.com/bazelbuild/intellij

CVE-2024-22032, GHSA-q6c7-56cq-g2wm
Affects: github.com/rancher/rancher
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

CVE-2023-22650, GHSA-9ghh-mmcq-8phc
Affects: github.com/rancher/rancher
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

CVE-2023-32191, GHSA-6gr4-52w6-vmqx
Affects: github.com/rancher/rke
Published: Jul 01, 2024

When RKE provisions a cluster, it stores the cluster state in a configmap called "full-cluster-state" inside the "kube-system" namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include sensitive data.

CVE-2023-32196, GHSA-64jq-m7rq-768h
Affects: github.com/rancher/rancher
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

CVE-2024-37896
Affects: github.com/flipped-aurora/gin-vue-admin
Published: Jun 28, 2024
Unreviewed

SQL injection vulnerability in Gin-vue-admin in github.com/flipped-aurora/gin-vue-admin

CVE-2024-37159
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
Published: Jun 28, 2024
Unreviewed

Evmos is missing create validator check in github.com/evmos/evmos

CVE-2024-37158
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
Published: Jun 28, 2024
Unreviewed

Evmos is missing precompile checks in github.com/evmos/evmos

CVE-2024-36586, GHSA-7jp9-vgmq-c8r5
Affects: github.com/AdguardTeam/AdGuardHome
Published: Jun 28, 2024
Modified: Sep 06, 2024
Unreviewed

AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

GHSA-85rg-8m6h-825p
Affects: github.com/k8sgpt-ai/k8sgpt
Published: Jun 20, 2024
Unreviewed

Vulnerabilities with the k8sGPT in github.com/k8sgpt-ai/k8sgpt

CVE-2024-37307, GHSA-wh78-7948-358j
Affects: github.com/cilium/cilium
Published: Jun 20, 2024
Unreviewed

Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium

CVE-2024-5798, GHSA-32cj-5wx4-gq8p
Affects: github.com/hashicorp/vault
Published: Jul 01, 2024
Modified: Jul 09, 2024
Unreviewed

HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/vault before v1.15.9.

CVE-2023-49559, GHSA-2hmf-46v7-v6fx
Affects: github.com/vektah/gqlparser, github.com/vektah/gqlparser/v2
Published: Jul 01, 2024

An issue in vektah gqlparser open-source-library allows a remote attacker to cause a denial of service via a crafted script to the parseDirectives function.

CVE-2024-5154, GHSA-j9hf-98c3-wrm8
Affects: github.com/cri-o/cri-o
Published: Jun 14, 2024
Modified: Aug 19, 2024
Unreviewed

malicious container creates symlink "mtab" on the host External in github.com/cri-o/cri-o

CVE-2024-35255, GHSA-m5vv-6r4h-3vj9
Affects: github.com/Azure/azure-sdk-for-go/sdk/azidentity
Published: Jul 01, 2024

Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity

GHSA-7jmw-8259-q9jx
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Jun 14, 2024
Unreviewed

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses in github.com/traefik/traefik

CVE-2024-22261, GHSA-vw63-824v-qf2j
Affects: github.com/goharbor/harbor
Published: Jun 14, 2024
Unreviewed

SQL Injection in Harbor scan log API in github.com/goharbor/harbor

CVE-2024-22244, GHSA-5757-v49g-f6r7
Affects: github.com/goharbor/harbor
Published: Jun 14, 2024
Unreviewed

Open Redirect URL in Harbor in github.com/goharbor/harbor

GHSA-xmmx-7jpf-fx42
Affects: github.com/docker/docker, github.com/moby/moby
Published: Jun 14, 2024
Modified: Jul 01, 2024

Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker

CVE-2021-41089, GHSA-v994-f8vw-g7j4
Affects: github.com/docker/docker, github.com/moby/moby
Published: Jun 14, 2024
Modified: Jul 01, 2024

Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker

CVE-2021-41092, GHSA-99pg-grm5-qq3v
Affects: github.com/docker/cli
Published: Jul 01, 2024
Modified: Jul 19, 2024

Docker CLI leaks private registry credentials to registry-1.docker.io in github.com/docker/cli

GHSA-87m9-rv8p-rgmg
Affects: github.com/mostynb/go-grpc-compression
Published: Jun 14, 2024
Unreviewed

go-grpc-compression has a zstd decompression bombing vulnerability in github.com/mostynb/go-grpc-compression

CVE-2024-5262, GHSA-q5mg-pc7r-r8cr
Affects: github.com/projectdiscovery/interactsh
Published: Jun 14, 2024
Unreviewed

Files or Directories Accessible to External Parties in ProjectDiscovery in github.com/projectdiscovery/interactsh

CVE-2024-5138
Affects: github.com/snapcore/snapd
Published: Jun 14, 2024
Unreviewed

CVE-2024-5138 in github.com/snapcore/snapd

CVE-2024-5037
Affects: github.com/openshift/telemeter
Published: Jun 28, 2024
Modified: Aug 19, 2024
Unreviewed

Openshift/telemeter: iss check during jwt authentication can be bypassed in github.com/openshift/telemeter

CVE-2024-37154, GHSA-7hrh-v6wp-53vw
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
Published: Jun 14, 2024
Modified: Jun 28, 2024
Unreviewed

Evmos allows unvested token delegations in github.com/evmos/evmos

CVE-2024-37153, GHSA-xgr7-jgq3-mhmc
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
Published: Jun 14, 2024
Modified: Jun 28, 2024
Unreviewed

Contract balance not updating correctly after interchain transaction in github.com/evmos/evmos

CVE-2024-37152, GHSA-87p9-x75h-p4j2
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Jun 14, 2024
Modified: Jun 28, 2024
Unreviewed

Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd

CVE-2024-37032, GHSA-8hqg-whrw-pv92
Affects: github.com/ollama/ollama
Published: Jun 14, 2024
Modified: Aug 19, 2024
Unreviewed

Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama

CVE-2024-36129, GHSA-c74f-6mfw-mm4v
Affects: go.opentelemetry.io/collector/config/configgrpc, go.opentelemetry.io/collector/config/confighttp
Published: Jun 14, 2024
Modified: Jul 19, 2024

An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption.

CVE-2024-36127, GHSA-v6mg-7f7p-qmqp
Affects: chainguard.dev/apko
Published: Jun 14, 2024
Unreviewed

apko Exposure of HTTP basic auth credentials in log output in chainguard.dev/apko

CVE-2024-36106, GHSA-3cqf-953p-h5cp
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Jun 28, 2024
Unreviewed

Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

CVE-2024-32873, GHSA-pxv8-qhrh-jc7v
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
Published: Jun 14, 2024
Modified: Aug 19, 2024
Unreviewed

evmos allows transferring unvested tokens after delegations in github.com/evmos/evmos

CVE-2024-24789
Affects: archive/zip
Published: Jun 04, 2024

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

CVE-2024-24790
Affects: net/netip
Published: Jun 04, 2024

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

CVE-2024-36107, GHSA-95fr-cm4m-q5p9
Affects: github.com/minio/minio
Published: Jun 05, 2024
Unreviewed

MinIO information disclosure vulnerability in github.com/minio/minio

CVE-2024-35238, GHSA-8fmj-33gw-g7pw
Affects: github.com/stacklok/minder
Published: Jun 05, 2024
Unreviewed

Denial of service of Minder Server from maliciously crafted GitHub attestations in github.com/stacklok/minder

GHSA-mh55-gqvf-xfwm
Affects: github.com/rs/cors
Published: Jul 02, 2024
Modified: Jul 09, 2024

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

CVE-2024-35232, GHSA-3f65-m234-9mxr
Affects: github.com/huandu/facebook, github.com/huandu/facebook/v2
Published: Jun 05, 2024
Modified: Jun 28, 2024
Unreviewed

github.com/huandu/facebook may expose access_token in error message.

GHSA-f7cq-5v43-8pwp
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Jun 05, 2024
Unreviewed

Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop in github.com/traefik/traefik

CVE-2024-35223, GHSA-284c-x8m7-9w5h
Affects: github.com/dapr/dapr
Published: May 24, 2024
Unreviewed

Dapr API Token Exposure in github.com/dapr/dapr

CVE-2024-31989, GHSA-9766-5277-j5hr
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Jun 05, 2024
Unreviewed

ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

CVE-2024-34710
Affects: github.com/requarks/wiki
Published: Jun 05, 2024
Unreviewed

Wiki.js Stored XSS through Client Side Template Injection in github.com/requarks/wiki

GHSA-qjcv-rx3v-7mvj
Affects: github.com/cosmos/ibc-go, github.com/cosmos/ibc-go/v2, and 5 more
Published: May 23, 2024

The ibc-go module is affected by the Inter-Blockchain Communication (IBC) protocol "Huckleberry" vulnerability. The vulnerability allowed an attacker to send arbitrary transactions onto target chains and trigger arbitrary state transitions, including but not limited to, theft of funds. It was possible to exploit this vulnerability in specific situations involving relaying packets in which the source chain is also the final destination chain. Affected networks are those that allow for fee grant capabilities and use a native Relayer (e.g., Osmosis and Juno).

GHSA-2j6r-9vv4-6gf5
Affects: github.com/bincyber/go-sqlcrypter
Published: Jun 05, 2024
Unreviewed

github.com/bincyber/go-sqlcrypter vulnerable to IV collision

CVE-2024-35194, GHSA-crgc-2583-rw27
Affects: github.com/stacklok/minder
Published: Jun 05, 2024
Unreviewed

Stacklok Minder vulnerable to denial of service from maliciously crafted templates in github.com/stacklok/minder

CVE-2024-35192, GHSA-xcq4-m2r3-cmrj
Affects: github.com/aquasecurity/trivy
Published: May 22, 2024

A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.

CVE-2022-39324, GHSA-4724-7jwc-3fpw
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.16, from v9.0.0 before v9.2.8.

CVE-2024-5042, GHSA-2rhx-qhxp-5jpw
Affects: github.com/submariner-io/submariner-operator
Published: Jun 05, 2024
Modified: Aug 19, 2024
Unreviewed

Submariner Operator sets unnecessary RBAC permissions in helm charts in github.com/submariner-io/submariner-operator

CVE-2023-40297, GHSA-x8xm-wrjq-5g54
Affects: github.com/stakater/Forecastle
Published: Jun 05, 2024
Unreviewed

Stakater Forecastle has a directory traversal vulnerability in github.com/stakater/Forecastle

CVE-2024-35185, GHSA-fjw8-3gp8-4cvx
Affects: github.com/stacklok/minder
Published: May 20, 2024
Unreviewed

Denial of service of Minder Server with attacker-controlled REST endpoint in github.com/stacklok/minder

CVE-2024-35183, GHSA-8fg7-hp93-qhvr
Affects: github.com/wolfi-dev/wolfictl
Published: Jun 04, 2024
Unreviewed

wolfictl leaks GitHub tokens to remote non-GitHub git servers in github.com/wolfi-dev/wolfictl

CVE-2024-3744, GHSA-qjqg-4wg7-957h
Affects: sigs.k8s.io/azurefile-csi-driver
Published: Jun 04, 2024
Modified: Jun 28, 2024
Unreviewed

azure-file-csi-driver leaks service account tokens in the logs in sigs.k8s.io/azurefile-csi-driver

GHSA-f6mm-5fc7-3g3c
Affects: github.com/goreleaser/goreleaser
Published: Jun 04, 2024
Unreviewed

goreleaser shows environment by default in github.com/goreleaser/goreleaser

CVE-2024-31216, GHSA-v554-xwgw-hc3w
Affects: github.com/fluxcd/source-controller
Published: Jun 04, 2024
Unreviewed

source-controller leaks Azure Storage SAS token into logs in github.com/fluxcd/source-controller

CVE-2022-39201, GHSA-x744-mm8v-vpgr
Affects: github.com/grafana/grafana
Published: Jun 10, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.14, from v9.0.0 before v9.1.8.

CVE-2022-31097, GHSA-vw7q-p2qg-4m5f
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.0.0 before v8.3.10, from v8.4.0 before v8.4.10, from v8.5.0 before v8.5.9, from v9.0.0 before v9.0.3.

CVE-2022-39328, GHSA-vqc4-mpj8-jxch
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana Race condition allowing privilege escalation in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v9.2.0 before v9.2.4.

CVE-2022-31123, GHSA-rhxj-gh46-jvw8
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana Plugin signature bypass in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v7.0.0 before v8.5.14, from v9.0.0 before v9.1.8.

CVE-2022-36062, GHSA-p978-56hq-r492
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana folders admin only permission privilege escalation in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.5.0 before v8.5.13, from v9.0.0 before v9.0.9, from v9.1.0 before v9.1.6.

CVE-2024-35175, GHSA-4w53-6jvp-gg52
Affects: github.com/tg123/sshpiper
Published: Jun 04, 2024
Unreviewed

sshpiper's enabling of proxy protocol without proper feature flagging allows faking source address in github.com/tg123/sshpiper

CVE-2022-31107, GHSA-mx47-6497-3fv2
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v5.3.0 before v8.3.10, from v8.4.0 before v8.4.10, from v8.5.0 before v8.5.9, from v9.0.0 before v9.0.3.

CVE-2022-31130, GHSA-jv32-5578-pxjc
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v7.0.0 before v8.5.14, from v9.0.0 before v9.1.8.

CVE-2021-32026, GHSA-jj54-5q2m-q7pj
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
Published: Jun 05, 2024
Modified: Jun 28, 2024
Unreviewed

NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server

CVE-2020-26312, GHSA-hf54-fq2m-p9v6
Affects: github.com/dotmesh-io/dotmesh
Published: Jun 05, 2024
Unreviewed

dotmesh arbitrary file read and/or write in github.com/dotmesh-io/dotmesh

CVE-2022-39229, GHSA-gj7m-853r-289r
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.14, from v9.0.0 before v9.1.8.

CVE-2022-35957, GHSA-ff5c-938w-8c9q
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.13, from v9.0.0 before v9.0.9, from v9.1.0 before v9.1.6.

GHSA-c9cp-9c75-9v8c
Affects: github.com/containerd/containerd
Published: Jun 04, 2024
Modified: Jul 01, 2024

Containers started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd

CVE-2022-39307, GHSA-3p62-42x7-gxg5
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana User enumeration via forget password in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.15, from v9.0.0 before v9.2.4.

CVE-2022-39306, GHSA-2x6g-h2hg-rq84
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.0.0 before v8.5.15, from v9.0.0 before v9.2.4.

CVE-2024-3727, GHSA-6wvf-f2vw-3425
Affects: github.com/containers/image/v5
Published: May 20, 2024

An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

CVE-2024-34713, GHSA-jmqp-37m5-49wh
Affects: github.com/cea-hpc/sshproxy
Published: Jun 04, 2024
Unreviewed

sshproxy vulnerable to SSH option injection in github.com/cea-hpc/sshproxy

CVE-2024-34079, GHSA-75r6-6jg8-pfcq
Affects: github.com/octo-sts/app
Published: May 13, 2024
Modified: Jul 02, 2024

Excessively large requests can be processed, consuming a large amount of resources. This could potentially lead to a denial of service.

CVE-2024-34360, GHSA-jcqq-g64v-gcm7
Affects: github.com/spacemeshos/api/release/go, github.com/spacemeshos/go-spacemesh
Published: May 14, 2024
Modified: May 20, 2024

Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule.

CVE-2024-34352, GHSA-f8ch-w75v-c847
Affects: github.com/1Panel-dev/1Panel
Published: May 14, 2024
Modified: May 20, 2024

A maliciously crafted packet can write to an arbitrary file.

CVE-2024-32886, GHSA-649x-hxfx-57j2
Affects: vitess.io/vitess
Published: May 10, 2024
Modified: Jul 09, 2024

When executing a query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will OOM. This causes a denial of service.

CVE-2024-24787
Affects: cmd/go
Published: May 08, 2024
Modified: May 20, 2024

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

CVE-2024-24788
Affects: net
Published: May 07, 2024
Modified: May 20, 2024

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

CVE-2024-30850, CVE-2024-33434, and 2 more
Affects: github.com/tiagorlampert/CHAOS
Published: May 09, 2024
Modified: May 20, 2024

A remote attacker can execute arbitrary commands via crafted HTTP requests.

CVE-2024-34084, GHSA-9c5w-9q3f-3hv7
Affects: github.com/stacklok/minder
Published: May 10, 2024
Modified: May 20, 2024

HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. An untrusted request can cause the server to allocate large amounts of memory resulting in a denial of service.

CVE-2024-32972, GHSA-4xc9-8hmq-j652
Affects: github.com/ethereum/go-ethereum
Published: May 08, 2024
Modified: May 20, 2024

A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. This can result in a denial of service as the node runs out of memory.

CVE-2024-34478, GHSA-3jgf-r68h-xfqm
Affects: github.com/btcsuite/btcd
Published: May 08, 2024
Modified: May 20, 2024

Incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112 making btcd susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.

CVE-2024-33396, GHSA-wccg-v638-j9q2
Affects: github.com/karmada-io/karmada
Published: Jun 05, 2024
Unreviewed

karmada vulnerable to arbitrary code execution via a crafted command in github.com/karmada-io/karmada

CVE-2024-33394, GHSA-4q63-mr2m-57hf
Affects: kubevirt.io/kubevirt
Published: Jun 05, 2024
Unreviewed

kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt

CVE-2024-34068, GHSA-qq22-jj8x-4wwv
Affects: github.com/pterodactyl/wings
Published: Jun 10, 2024
Modified: Aug 19, 2024
Unreviewed

Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull in github.com/pterodactyl/wings

CVE-2024-34066, GHSA-gqmf-jqgv-v8fw
Affects: github.com/pterodactyl/wings
Published: Jun 04, 2024
Unreviewed

Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings

GHSA-vhxv-fg4m-p2w8
Affects: github.com/jub0bs/cors
Published: May 21, 2024

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns "https://foo.com" and "https://bar.com" (in that order) would yield a middleware that would incorrectly allow untrusted origin "https://barfoo.com".

GHSA-v84h-653v-4pq9
Affects: github.com/jub0bs/fcors
Published: May 21, 2024

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns "https://foo.com" and "https://bar.com" (in that order) would yield a middleware that would incorrectly allow untrusted origin "https://barfoo.com".

CVE-2024-33398, GHSA-6fg2-hvj9-832f
Affects: github.com/piraeusdatastore/piraeus-operator, github.com/piraeusdatastore/piraeus-operator/v2
Published: Jun 05, 2024
Modified: Jun 28, 2024
Unreviewed

piraeus-operator allows attacker to impersonate service account in github.com/piraeusdatastore/piraeus-operator

CVE-2024-32359
Affects: github.com/carina-io/carina
Published: Jun 05, 2024
Unreviewed

CVE-2024-32359 in github.com/carina-io/carina

CVE-2024-4128
Affects: github.com/firebase/firebase-tools
Published: Jun 05, 2024
Unreviewed

CSRF in firebase-tools emulator suite in github.com/firebase/firebase-tools

CVE-2024-32967, GHSA-q5qj-x2h5-3945
Affects: github.com/zitadel/zitadel
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.45.7, from v2.47.0 before v2.47.10, from v2.48.0 before v2.48.5, from v2.49.0 before v2.49.5, from v2.50.0 before v2.50.3.

CVE-2024-32963, GHSA-4jrx-5w4h-3gpm
Affects: github.com/navidrome/navidrome
Published: Jun 04, 2024
Unreviewed

Navidrome Parameter Tampering vulnerability in github.com/navidrome/navidrome

CVE-2024-33522, GHSA-6362-gv4m-53ww
Affects: github.com/projectcalico/calico, github.com/projectcalico/calico/v3
Published: Jun 10, 2024
Modified: Aug 19, 2024
Unreviewed

Calico privilege escalation vulnerability in github.com/projectcalico/calico. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/projectcalico/calico/v3 before v3.26.5, from v3.27.0 before v3.27.3.

CVE-2024-3817, GHSA-q64h-39hv-4cf7
Affects: github.com/hashicorp/go-getter
Published: May 10, 2024
Modified: May 20, 2024

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on. An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

CVE-2024-32883
Affects: github.com/mcu-tools/mcuboot
Published: Jun 05, 2024
Unreviewed

MCUboot Injection attack of unprotected TLV values in github.com/mcu-tools/mcuboot

CVE-2024-4183, GHSA-wj37-mpq9-xrcm
Affects: github.com/mattermost/mattermost-server
Published: Jun 05, 2024
Unreviewed

Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server

CVE-2024-32046, GHSA-vx97-8q8q-qgq5
Affects: github.com/mattermost/mattermost-server
Published: Jun 05, 2024
Unreviewed

Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server

CVE-2024-22091, GHSA-p2wq-4ggp-45f3
Affects: github.com/mattermost/mattermost-server
Published: Jun 05, 2024
Unreviewed

Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server

CVE-2024-4182, GHSA-8f99-g2pj-x8w3
Affects: github.com/mattermost/mattermost-server
Published: Jun 05, 2024
Unreviewed

Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server

CVE-2024-4198, GHSA-5qx9-9ffj-5r8f
Affects: github.com/mattermost/mattermost-server
Published: Jun 05, 2024
Unreviewed

Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server

CVE-2024-4195, GHSA-5fh7-7mw7-mmx5
Affects: github.com/mattermost/mattermost-server
Published: Jun 05, 2024
Unreviewed

Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server

CVE-2024-32476, GHSA-9m6p-x4h2-6frq
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Jun 04, 2024
Modified: Jun 28, 2024
Unreviewed

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

CVE-2024-3154, GHSA-2cgq-h8xw-2v5j
Affects: github.com/cri-o/cri-o
Published: Jun 04, 2024
Unreviewed

CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o

CVE-2024-1139, GHSA-x5m7-63c6-fx79
Affects: github.com/openshift/cluster-monitoring-operator
Published: Jun 05, 2024
Unreviewed

Cluster Monitoring Operator contains a credentials leak in github.com/openshift/cluster-monitoring-operator

CVE-2024-32868, GHSA-7j7j-66cv-m239
Affects: github.com/zitadel/zitadel
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.50.0.

CVE-2024-0874, GHSA-m9w6-wp3h-vq8g
Affects: github.com/coredns/coredns
Published: Jun 04, 2024
Modified: Jul 01, 2024

A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.

CVE-2019-11202, GHSA-xh8x-j8h3-m5ph
Affects: github.com/rancher/rancher
Published: Jun 10, 2024
Modified: Aug 21, 2024
Unreviewed

Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher

CVE-2022-3800, GHSA-rwcf-gq22-ph83
Affects: github.com/IBAX-io/go-ibax
Published: Jun 05, 2024
Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

CVE-2019-11245, GHSA-r76g-g87f-vw8f
Affects: k8s.io/kubernetes
Published: Jun 10, 2024
Unreviewed

Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes

CVE-2020-10937, GHSA-r23h-3jmw-q7hr
Affects: github.com/ipfs/go-ipfs
Published: Jun 04, 2024
Unreviewed

Access Restriction Bypass in go-ipfs in github.com/ipfs/go-ipfs

CVE-2021-31999, GHSA-pvxj-25m6-7vqr
Affects: github.com/rancher/rancher
Published: Jun 10, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.16, from v2.5.0 before v2.5.9.

CVE-2022-3798, GHSA-mgqh-3qm7-gx82
Affects: github.com/IBAX-io/go-ibax
Published: Jun 05, 2024
Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

CVE-2021-43350, GHSA-mg2c-rc36-p594
Affects: github.com/apache/trafficcontrol
Published: Jun 10, 2024
Unreviewed

Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol

CVE-2022-3801, GHSA-m738-584h-26p6
Affects: github.com/IBAX-io/go-ibax
Published: Jun 05, 2024
Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

CVE-2021-36776, GHSA-gvh9-xgrq-r8hw
Affects: github.com/rancher/rancher
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.5.0 before v2.5.10.

CVE-2022-3802, GHSA-g23g-mw97-65c8
Affects: github.com/IBAX-io/go-ibax
Published: Jun 05, 2024
Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

CVE-2022-38183, GHSA-fhv8-m4j4-cww2
Affects: code.gitea.io/gitea
Published: Jun 10, 2024
Modified: Aug 19, 2024
Unreviewed

Gitea allowed assignment of private issues in code.gitea.io/gitea

CVE-2021-25318, GHSA-f9xf-jq4j-vqw4
Affects: github.com/rancher/rancher
Published: Jun 10, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.16, from v2.5.0 before v2.5.9.

CVE-2020-14370, GHSA-c3wv-qmjj-45r6
Affects: github.com/containers/libpod, github.com/containers/libpod/v2
Published: Jun 04, 2024
Modified: Jun 28, 2024
Unreviewed

Information disclosure in podman in github.com/containers/libpod

CVE-2020-1701, GHSA-849r-8wvp-4wwg
Affects: kubevirt.io/kubevirt
Published: Jun 04, 2024
Unreviewed

Permissions bypass in KubeVirt in kubevirt.io/kubevirt

CVE-2019-6287, GHSA-6r7x-4q7g-h83j
Affects: github.com/rancher/rancher
Published: Jun 05, 2024
Unreviewed

Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher

CVE-2017-15103, GHSA-6g56-v9qg-jp92
Affects: github.com/heketi/heketi
Published: Jun 04, 2024
Unreviewed

Heketi Arbitrary Code Execution in github.com/heketi/heketi

CVE-2019-12303, GHSA-53pj-67m4-9w98
Affects: github.com/rancher/rancher
Published: Jun 05, 2024
Unreviewed

Rancher code injection via fluentd config commands in github.com/rancher/rancher

CVE-2019-11881, GHSA-2p4g-jrmx-r34m
Affects: github.com/rancher/rancher
Published: Jun 05, 2024
Unreviewed

Rancher Login Parameter Can Be Edited in github.com/rancher/rancher

CVE-2021-36775, GHSA-28g7-896h-695v
Affects: github.com/rancher/rancher
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.18, from v2.5.0 before v2.5.12, from v2.6.0 before v2.6.3.

CVE-2022-3799, GHSA-fcgf-j8cf-h2rm
Affects: github.com/IBAX-io/go-ibax
Published: Jun 05, 2024
Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

CVE-2021-3382, GHSA-9f8c-pfvv-p4gm
Affects: code.gitea.io/gitea
Published: Jun 04, 2024
Unreviewed

Buffer Overflow in gitea in code.gitea.io/gitea

CVE-2020-14316, GHSA-828r-r2c8-rfw3
Affects: kubevirt.io/kubevirt
Published: Jun 04, 2024
Unreviewed

Privilege Escalation in kubevirt in kubevirt.io/kubevirt

CVE-2020-8563, GHSA-5xfg-wv98-264m
Affects: k8s.io/kubernetes
Published: Jun 05, 2024
Unreviewed

Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes

CVE-2020-8566, GHSA-5x96-j797-5qqw
Affects: k8s.io/kubernetes
Published: Jun 04, 2024
Unreviewed

Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes

CVE-2020-8557, GHSA-55qj-gj3x-jq9r
Affects: k8s.io/kubernetes
Published: Jun 10, 2024
Unreviewed

Denial of service in Kubernetes in k8s.io/kubernetes

CVE-2022-1058, GHSA-4rqq-rxvc-v2rc
Affects: code.gitea.io/gitea
Published: Jun 04, 2024
Unreviewed

Gitea Open Redirect in code.gitea.io/gitea

CVE-2020-8567, GHSA-2v35-wj4r-rcmv
Affects: github.com/Azure/secrets-store-csi-driver-provider-azure, github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp, and 1 more
Published: Jun 05, 2024
Modified: Sep 06, 2024
Unreviewed

Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/Azure/secrets-store-csi-driver-provider-azure before v0.0.10; github.com/hashicorp/vault-csi-provider before v0.0.6.

CVE-2020-8559, GHSA-33c5-9fx5-fvjm
Affects: k8s.io/apimachinery, k8s.io/kubernetes
Published: May 20, 2024

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

CVE-2024-32875, GHSA-ppf8-hhpp-f5hj
Affects: github.com/gohugoio/hugo
Published: Jun 04, 2024
Modified: Jul 19, 2024

Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo

CVE-2024-3177, GHSA-pxhw-596r-rwq5
Affects: k8s.io/kubernetes
Published: Jun 04, 2024
Modified: Jul 01, 2024

Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin in k8s.io/kubernetes

GHSA-x883-2vmg-xwf7
Affects: github.com/authelia/authelia/v4
Published: Apr 26, 2024
Modified: May 20, 2024

If the file authentication backend is being used, the ewatch option is set to true, the refresh interval is configured to a non-disabled value, and an administrator changes a user's groups, then that user may be able to access resources that their previous groups had access to.

CVE-2024-29217, GHSA-cvqr-mwh6-2vc6
Affects: github.com/apache/incubator-answer
Published: Apr 26, 2024
Modified: May 20, 2024

XSS vulnerability via personal website in github.com/apache/incubator-answer

CVE-2024-31450, GHSA-9355-27m8-h74v
Affects: github.com/owncast/owncast
Published: Jun 04, 2024
Modified: Aug 19, 2024
Unreviewed

Owncast Path Traversal vulnerability in github.com/owncast/owncast

CVE-2024-32473, GHSA-x84c-p2g9-rqv9
Affects: github.com/docker/docker
Published: Jun 05, 2024
Unreviewed

IPv6 enabled on IPv4-only network interfaces in github.com/docker/docker

CVE-2024-30257, GHSA-6m9h-2pr2-9j8f
Affects: github.com/1Panel-dev/1Panel
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

1Panel's password verification is suspected to have a timing attack vulnerability in github.com/1Panel-dev/1Panel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.3.

GHSA-v6rw-hhgg-wc4x
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 10 more
Published: Jun 05, 2024
Modified: Jun 28, 2024
Unreviewed

Evmos vulnerable to DOS and transaction fee expropriation through Authz exploit in github.com/evmos/evmos

GHSA-m99c-q26r-m7m7
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 11 more
Published: Jun 10, 2024
Modified: Jun 28, 2024
Unreviewed

Evmos vulnerable to unauthorized account creation with vesting module in github.com/evmos/evmos

Affects: github.com/gorilla/sessions
Published: Apr 17, 2024
Modified: May 20, 2024
Withdrawn: Apr 17, 2024

(withdrawn)

CVE-2024-31452, GHSA-8cph-m685-6v6r
Affects: github.com/openfga/openfga
Published: Jun 04, 2024
Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

CVE-2024-31990, GHSA-2gvw-w6fj-7m3c
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Jun 04, 2024
Modified: Jun 28, 2024
Unreviewed

Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd

GHSA-g8fc-vrcg-8vjg
Affects: github.com/edgelesssys/constellation, github.com/edgelesssys/constellation/v2
Published: Jun 04, 2024
Modified: Jun 28, 2024
Unreviewed

Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

GHSA-7f4j-64p6-5h5v
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Jun 05, 2024
Modified: Jun 28, 2024
Unreviewed

Traefik affected by HTTP/2 CONTINUATION flood in net/http in github.com/traefik/traefik

CVE-2024-31391, GHSA-g9qx-25vj-rf53
Affects: github.com/apache/solr-operator
Published: Jun 04, 2024
Unreviewed

Apache Solr Operator liveness and readiness probes may leak basic auth credentials in github.com/apache/solr-operator

CVE-2024-28869, GHSA-4vwx-54mw-vqfw
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Jun 05, 2024
Unreviewed

Traefik vulnerable to denial of service with Content-length header in github.com/traefik/traefik

CVE-2024-31839, GHSA-c5rv-hjjc-jv7m
Affects: github.com/tiagorlampert/CHAOS
Published: May 09, 2024
Modified: May 20, 2024

A malicious actor may be able to extract a JWT token via malicious "/command" request. This is a form of cross site scripting (XSS).

CVE-2024-29903, GHSA-95pr-fxf5-86gv
Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
Published: Jun 05, 2024
Unreviewed

Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign

CVE-2024-29902, GHSA-88jx-383q-w4qc
Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
Published: Jun 05, 2024
Unreviewed

Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign

CVE-2024-2029, GHSA-wx43-g55g-2jf4
Affects: github.com/go-skynet/LocalAI
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/go-skynet/LocalAI before v2.10.0.

CVE-2024-32001, GHSA-j85q-46hg-36p2
Affects: github.com/authzed/spicedb
Published: Jun 04, 2024
Unreviewed

SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used in github.com/authzed/spicedb

CVE-2024-32644, GHSA-3fp5-2xwh-fxm6
Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 20 more
Published: Jun 05, 2024
Modified: Jun 28, 2024
Unreviewed

Evmos transaction execution not accounting for all state transition after interaction with precompiles in github.com/evmos/evmos

CVE-2024-21848, GHSA-xp9j-8p68-9q93
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.11.

CVE-2024-29221, GHSA-w67v-ph4x-f48q
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

CVE-2024-3135, GHSA-jhvf-7c85-3c9g
Affects: github.com/go-skynet/LocalAI
Published: Jun 05, 2024
Unreviewed

LocalAI cross-site request forgery vulnerability in github.com/go-skynet/LocalAI

CVE-2023-3518, GHSA-9rhf-q362-77mx
Affects: github.com/hashicorp/consul
Published: Jun 04, 2024
Unreviewed

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul

GHSA-j5vm-7qcc-2wwg
Affects: github.com/kopia/kopia
Published: Jun 04, 2024
Unreviewed

Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output in github.com/kopia/kopia

CVE-2024-31457, GHSA-gv3w-m57p-3wc4
Affects: github.com/flipped-aurora/gin-vue-admin/server
Published: May 20, 2024

Gin-vue-admin has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter.

CVE-2024-31455, GHSA-ggp5-28x4-xcj9
Affects: github.com/stacklok/minder
Published: Jun 04, 2024
Unreviewed

Minder GetRepositoryByName data leak in github.com/stacklok/minder

CVE-2024-28224, GHSA-5jx5-hqx5-2vrj
Affects: github.com/jmorganca/ollama
Published: Jun 10, 2024
Unreviewed

Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama

CVE-2024-0406, GHSA-rhh4-rh7c-7r5v
Affects: github.com/mholt/archiver, github.com/mholt/archiver/v3
Published: Jun 05, 2024
Modified: Jul 01, 2024

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.

CVE-2024-1313, GHSA-67rv-qpw2-6qrr
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v9.5.0 before v9.5.18, from v10.0.0 before v10.0.13, from v10.1.0 before v10.1.9, from v10.2.0 before v10.2.6, from v10.3.0 before v10.3.5.

CVE-2024-2447, GHSA-wp43-vprh-c3w5
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

CVE-2024-28949, GHSA-mcw6-3256-64gg
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

GHSA-j496-crgh-34mx
Affects: github.com/cosmos/ibc-go, github.com/cosmos/ibc-go/v2, and 6 more
Published: May 20, 2024

Potential Reentrancy using Timeout Callbacks in ibc-hooks in github.com/cosmos/ibc-go

CVE-2024-3250, GHSA-4685-2x5r-65pj
Affects: github.com/canonical/pebble
Published: Jun 04, 2024
Unreviewed

Pebble service manager's file pull API allows access by any user in github.com/canonical/pebble

CVE-2024-2660, GHSA-j2rp-gmqv-frhv
Affects: github.com/hashicorp/vault
Published: Jun 04, 2024
Modified: Jun 28, 2024
Unreviewed

HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault

CVE-2024-2689, GHSA-wmxc-v39r-p9wf
Affects: go.temporal.io/server
Published: Jun 04, 2024
Unreviewed

Temporal Server Denial of Service in go.temporal.io/server

CVE-2024-31420, GHSA-vjhf-6xfr-5p9g
Affects: kubevirt.io/kubevirt
Published: Jun 05, 2024
Unreviewed

KubeVirt NULL pointer dereference flaw in kubevirt.io/kubevirt

CVE-2023-45288, GHSA-4v7x-pqxf-cx7m
Affects: net/http, golang.org/x/net
Published: Apr 03, 2024
Modified: May 20, 2024

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

CVE-2024-22780, GHSA-hwvw-gh23-qpvq
Affects: github.com/ca17/teamsacs
Published: Jun 10, 2024
Unreviewed

CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs

CVE-2021-41803, GHSA-hr3v-8cp3-68rf
Affects: github.com/hashicorp/consul
Published: Apr 05, 2024
Modified: May 20, 2024

HashiCorp Consul does not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.

CVE-2024-22189, GHSA-c33x-xqrf-c478
Affects: github.com/quic-go/quic-go
Published: Apr 05, 2024
Modified: May 20, 2024

An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

CVE-2024-2435, GHSA-8f25-w7qj-r7hc
Affects: github.com/temporalio/ui-server, github.com/temporalio/ui-server/v2
Published: Jun 04, 2024
Modified: Jun 28, 2024
Unreviewed

Temporal UI Server cross-site scripting vulnerability in github.com/temporalio/ui-server

CVE-2023-3300, GHSA-v5fm-hr72-27hx
Affects: github.com/hashicorp/nomad
Published: Apr 04, 2024
Modified: May 20, 2024

A vulnerability was identified in Nomad such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability affects Nomad since 0.11.0 and was fixed in 1.4.11 and 1.5.7.

CVE-2023-3072, GHSA-rpvr-38xv-xvxq
Affects: github.com/hashicorp/nomad
Published: Apr 04, 2024
Modified: May 20, 2024

An ACL policy using a block without label can be applied to unexpected resources in Nomad, a distributed, highly available scheduler designed for effortless operations and management of applications.

CVE-2023-3299, GHSA-9jfx-84v9-2rr2
Affects: github.com/hashicorp/nomad
Published: Apr 04, 2024
Modified: May 20, 2024

A vulnerability exists in Nomad where the API caller's ACL token secret ID is exposed to Sentinel policies.

CVE-2024-28232, GHSA-hcw2-2r9c-gc6p
Affects: github.com/IceWhaleTech/CasaOS-UserService
Published: Apr 02, 2024
Modified: May 20, 2024

The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.

CVE-2024-29893, GHSA-jhwx-mhww-rgc3
Affects: github.com/argoproj/argo-cd/v2
Published: Apr 16, 2024
Modified: May 20, 2024

Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2

CVE-2024-28860, GHSA-pwqm-x5x6-5586
Affects: github.com/cilium/cilium
Published: Apr 16, 2024
Modified: May 20, 2024

Insecure IPsec transparent encryption in github.com/cilium/cilium

CVE-2024-29891, GHSA-hr5w-cwwq-2v4m
Affects: github.com/zitadel/zitadel
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.42.17, from v2.43.0 before v2.43.11, from v2.44.0 before v2.44.7, from v2.45.0 before v2.45.5, from v2.46.0 before v2.46.5, from v2.47.0 before v2.47.8, from v2.48.0 before v2.48.3.

CVE-2024-29892, GHSA-gp8g-f42f-95q2
Affects: github.com/zitadel/zitadel
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.42.17, from v2.43.0 before v2.43.11, from v2.44.0 before v2.44.7, from v2.45.0 before v2.45.5, from v2.46.0 before v2.46.5, from v2.47.0 before v2.47.8, from v2.48.0 before v2.48.3.

CVE-2019-19499, GHSA-4pwp-cx67-5cpx
Affects: github.com/grafana/grafana
Published: Mar 28, 2024
Modified: Jul 09, 2024

An authenticated attacker that has privileges to modify the data source configurations can read arbitrary files.

CVE-2024-1394, GHSA-78hx-gp6g-7mj6
Affects: github.com/golang-fips/openssl/v2, github.com/microsoft/go-crypto-openssl
Published: Mar 27, 2024
Modified: May 20, 2024

Using crafted public RSA keys can cause a small memory leak when encrypting and verifying payloads. This can be gradually leveraged into a denial of service attack.

CVE-2024-29018, GHSA-mq39-4gv4-mvpx
Affects: github.com/docker/docker
Published: Mar 22, 2024
Modified: May 20, 2024

dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.

CVE-2024-1753, GHSA-pmf3-c36m-g5cf
Affects: github.com/containers/buildah
Published: Mar 22, 2024
Modified: May 20, 2024

A crafted container file can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem.

CVE-2024-28250, GHSA-v6q2-4qr3-5cw6
Affects: github.com/cilium/cilium
Published: Mar 22, 2024
Modified: May 20, 2024

In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes, and traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.

CVE-2024-28249, GHSA-j89h-qrvr-xc36
Affects: github.com/cilium/cilium
Published: Mar 22, 2024
Modified: May 20, 2024

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted, and traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted.

CVE-2024-28855, GHSA-hfrg-4jwr-jfpj
Affects: github.com/zitadel/zitadel
Published: Mar 27, 2024
Modified: Jul 09, 2024

The Login UI did not sanitize input parameters. An attacker could create a malicious link, where injected code would be rendered as part of the login screen.

CVE-2024-21661, GHSA-6v85-wr92-q4p7
Affects: github.com/argoproj/argo-cd/v2
Published: Mar 22, 2024
Modified: May 20, 2024

Application may crash due to concurrent writes, leading to a denial of service. An attacker can crash the application continuously, making it impossible for legitimate users to access the service. Authentication is not required in the attack.

CVE-2024-28248, GHSA-68mj-9pjq-mc85
Affects: github.com/cilium/cilium
Published: Mar 22, 2024
Modified: May 20, 2024

Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.

CVE-2024-21662, CVE-2024-21652, and 2 more
Affects: github.com/argoproj/argo-cd/v2
Published: Mar 22, 2024
Modified: May 20, 2024

An attacker can effectively bypass the rate limit and brute force protections in Argo CD by exploiting the application's weak cache-based mechanism. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account.

GHSA-v8mx-hp2q-gw85
Affects: github.com/go-vela/sdk-go
Published: Jun 05, 2024
Unreviewed

Golang SDK for Vela Insecure Variable Substitution in github.com/go-vela/sdk-go

GHSA-7v38-w32m-wx4m
Affects: github.com/go-vela/types
Published: Jun 04, 2024
Unreviewed

Types for Vela Insecure Variable Substitution in github.com/go-vela/types

GHSA-69p4-j5v5-x234
Affects: github.com/go-vela/server
Published: Jun 04, 2024
Unreviewed

Server/API for Vela Insecure Variable Substitution in github.com/go-vela/server

GHSA-4jhj-3gv3-c3gr
Affects: github.com/go-vela/cli
Published: Jun 04, 2024
Unreviewed

CLI for Vela Insecure Variable Substitution in github.com/go-vela/cli

CVE-2024-28175, GHSA-jwv5-8mqv-g387
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Mar 22, 2024
Modified: May 20, 2024

Due to the improper URL protocols filtering of links specified in the link.argocd.argoproj.io annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. A malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources.

CVE-2024-27920, GHSA-w5wx-6g2r-r78q
Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
Published: Jun 04, 2024
Modified: Jun 28, 2024
Unreviewed

Nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei

CVE-2023-51699, GHSA-wx8q-4gm9-rj2g
Affects: github.com/fluid-cloudnative/fluid
Published: Jun 04, 2024
Unreviewed

Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime in github.com/fluid-cloudnative/fluid

CVE-2023-50726, GHSA-g623-jcgg-mhmm
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Mar 22, 2024
Modified: May 20, 2024

An improper validation bug allows users who have create privileges to sync a local manifest during application creation. This allows for bypassing the restriction that the manifests come from some approved git/Helm/OCI source.

CVE-2024-27102, GHSA-494h-9924-xww9
Affects: github.com/pterodactyl/wings
Published: Jun 04, 2024
Unreviewed

Pterodactyl Wings vulnerable to improper isolation of server file access in github.com/pterodactyl/wings

CVE-2024-28236, GHSA-pwx5-6wxg-px5h
Affects: github.com/go-vela/worker
Published: Jun 04, 2024
Unreviewed

Insecure Variable Substitution in Vela in github.com/go-vela/worker

GHSA-95rx-m9m5-m94v
Affects: github.com/cosmos/cosmos-sdk
Published: May 10, 2024
Modified: May 20, 2024

The default ValidateVoteExtensions helper function infers total voting power based on the injected VoteExtension, which are injected by the proposer. If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state. Additional validation on injected VoteExtension data was added to confirm voting power against the state machine.

CVE-2024-28197, GHSA-mq4x-r2w3-j7mr
Affects: github.com/zitadel/zitadel
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.44.3, from v2.45.0 before v2.45.1.

CVE-2024-2352, GHSA-x2vg-5wrf-vj6v
Affects: github.com/1Panel-dev/1Panel
Published: Jun 04, 2024
Unreviewed

1Panel is vulnerable to command injection in github.com/1Panel-dev/1Panel

CVE-2024-1952, GHSA-r4fm-g65h-cr54
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 05, 2024
Modified: Aug 19, 2024
Unreviewed

Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server

CVE-2024-28122, GHSA-hj3v-m684-v259
Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
Published: May 20, 2024

An attacker with a trusted public key may cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.

CVE-2024-28180, GHSA-c5q2-7r4c-mv6g
Affects: github.com/go-jose/go-jose/v4, github.com/go-jose/go-jose/v3, and 2 more
Published: Mar 15, 2024
Modified: May 20, 2024

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.

CVE-2024-1442, GHSA-5mxf-42f5-j782
Affects: github.com/grafana/grafana
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.5.0 before v9.5.7, from v10.0.0 before v10.0.12, from v10.1.0 before v10.1.8, from v10.2.0 before v10.2.5, from v10.3.0 before v10.3.4.

CVE-2024-28110, GHSA-5pf6-2qwx-pxm2
Affects: github.com/cloudevents/sdk-go/v2
Published: Mar 11, 2024
Modified: May 20, 2024

Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact.

CVE-2024-2048, GHSA-r3w7-mfpm-c2vw
Affects: github.com/hashicorp/vault
Published: Mar 14, 2024
Modified: May 20, 2024

The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.

CVE-2024-24765, GHSA-h5gf-cmm8-cg7c
Affects: github.com/IceWhaleTech/CasaOS-UserService
Published: Mar 11, 2024
Modified: May 20, 2024

The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.

CVE-2024-24766, GHSA-c967-2652-gfjm
Affects: github.com/IceWhaleTech/CasaOS-UserService
Published: Mar 14, 2024
Modified: May 20, 2024

CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.

CVE-2024-24767, GHSA-c69x-5xmw-v44x
Affects: github.com/IceWhaleTech/CasaOS-UserService
Published: Mar 18, 2024
Modified: May 20, 2024

The CasaOS web application does not have protection against password brute force attacks. An attacker can use a password brute force attack to find and gain full access to the server. This vulnerability allows attackers to get super user-level access over the server.

CVE-2024-27288, GHSA-26w3-q4j8-4xjp
Affects: github.com/1Panel-dev/1Panel
Published: Mar 14, 2024
Modified: May 20, 2024

If the user attempts to access a secure entry point and intercepts with Burp, they can get access to the console page. This access does not return data nor allow modification operations.

CVE-2024-2056
Affects: github.com/gvalkov/tailon
Published: Jun 10, 2024
Unreviewed

Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon

CVE-2024-24786, GHSA-8r3f-844c-mc37
Affects: google.golang.org/protobuf
Published: Mar 05, 2024
Modified: May 20, 2024

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

CVE-2024-24785
Affects: html/template
Published: Mar 05, 2024
Modified: May 20, 2024

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

CVE-2024-24784
Affects: net/mail
Published: Mar 05, 2024
Modified: May 20, 2024

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

CVE-2024-27916, GHSA-v627-69v2-xx37
Affects: github.com/stacklok/minder
Published: Mar 11, 2024
Modified: May 20, 2024

A Minder user can use the endpoints to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have. The DB query used checks by repo owner, repo name and provider name (which is always "github"). These query values are not distinct for the particular user, as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. DeleteRepositoryByName uses the same query and a user can delete another user's repo using this technique. The GetArtifactByName endpoint also uses this DB query.

CVE-2024-27304, GHSA-mrww-27vc-gghv, and 1 more
Affects: github.com/jackc/pgproto3/v2, github.com/jackc/pgx, and 2 more
Published: Mar 14, 2024
Modified: Sep 13, 2024

An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.

CVE-2024-27289, GHSA-m7wr-2xf7-cm9p
Affects: github.com/jackc/pgx, github.com/jackc/pgx/v4
Published: Mar 11, 2024
Modified: Sep 13, 2024

SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.

CVE-2024-27302, GHSA-fgxv-gw55-r5fq
Affects: github.com/zeromicro/go-zero
Published: Mar 11, 2024
Modified: May 20, 2024

The CORS Filter feature in go-zero allows users to specify an array of domains allowed in the CORS policy. However, the isOriginAllowed function uses strings.HasSuffix to check the origin, which can lead to a bypass via a domain like "evil-victim.com". This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and retrieve data on behalf of other users.

CVE-2024-27918, GHSA-7cc2-r658-7xpf
Affects: github.com/coder/coder, github.com/coder/coder/v2
Published: Mar 11, 2024
Modified: May 20, 2024

A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like google.com). During OIDC registration, the user's email was improperly validated against the allowed CODER_OIDC_EMAIL_DOMAINs.

CVE-2023-45289
Affects: net/http, net/http/cookiejar
Published: Mar 05, 2024
Modified: May 20, 2024

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

CVE-2023-45290
Affects: net/textproto
Published: Mar 05, 2024
Modified: May 20, 2024

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.

CVE-2024-24783
Affects: crypto/x509
Published: Mar 05, 2024
Modified: May 20, 2024

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

CVE-2024-27101, GHSA-h3m7-rqc4-7h9p
Affects: github.com/authzed/spicedb
Published: Jun 04, 2024
Unreviewed

Integer overflow in chunking helper causes dispatching to miss elements or panic in github.com/authzed/spicedb

CVE-2024-23488, GHSA-xgxj-j98c-59rv
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

CVE-2024-1953, GHSA-vm9m-57jr-4pxh
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

CVE-2024-1888, GHSA-pfw6-5rx3-xh3c
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

CVE-2024-1942, GHSA-hwjf-4667-gqwx
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

CVE-2024-1887, GHSA-fx48-xv6q-6gp3
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

CVE-2024-23493, GHSA-7v3v-984v-h74r
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

CVE-2024-24988, GHSA-6mx3-9qfh-77gj
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

CVE-2024-1949, GHSA-3g35-v53r-gpxc
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost race condition in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

CVE-2022-45786, GHSA-6p5q-h963-pwwf
Affects: github.com/apache/age/drivers/golang
Published: Mar 04, 2024
Modified: May 20, 2024

SQL injection in github.com/apache/age/drivers/golang

GHSA-86h5-xcpx-cfqc
Affects: github.com/cosmos/cosmos-sdk
Published: Mar 05, 2024
Modified: May 20, 2024

Slashing evasion in github.com/cosmos/cosmos-sdk

GHSA-x5r5-2qrx-rqj8
Affects: github.com/edgelesssys/marblerun
Published: Mar 04, 2024
Modified: May 20, 2024

Encryption bypass in github.com/edgelesssys/marblerun

CVE-2024-27093, GHSA-q6h8-4j2v-pjg4
Affects: github.com/stacklok/minder
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/stacklok/minder before v0.20240226.1425.

GHSA-fvv5-h29g-f6w5
Affects: github.com/treeverse/lakefs
Published: Jun 04, 2024
Unreviewed

User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

CVE-2024-26578, GHSA-9q24-hwmc-797x
Affects: github.com/apache/incubator-answer
Published: Jun 04, 2024
Unreviewed

Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer

CVE-2024-22393, GHSA-rmqp-mvv2-54c6
Affects: github.com/apache/incubator-answer
Published: Jun 04, 2024
Unreviewed

Apache Answer Unrestricted Upload of File with Dangerous Type vulnerability in github.com/apache/incubator-answer

CVE-2024-23349, GHSA-8pf2-qj4v-fj64
Affects: github.com/apache/incubator-answer
Published: Jun 04, 2024
Unreviewed

Apache Answer Cross-site Scripting vulnerability in github.com/apache/incubator-answer

CVE-2024-1485, GHSA-84xv-jfrm-h4gm
Affects: github.com/devfile/registry-support/registry-library
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/devfile/registry-support/registry-library before v0.0.0-20240206.

CVE-2024-26147, GHSA-r53h-jv2g-vpx6
Affects: helm.sh/helm/v3
Published: Jun 04, 2024
Modified: Jul 01, 2024

Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3

CVE-2024-25124, GHSA-fmg4-x8pw-hjhg
Affects: github.com/gofiber/fiber/v2
Published: May 20, 2024

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

GHSA-4j93-fm92-rp4m
Affects: github.com/cosmos/cosmos-sdk
Published: May 28, 2024
Modified: Jul 01, 2024

Missing BlockedAddressed Validation in Vesting Module in github.com/cosmos/cosmos-sdk

GHSA-2557-x9mg-76w8
Affects: github.com/cosmos/cosmos-sdk
Published: May 22, 2024
Modified: May 23, 2024

Invalid block proposal in github.com/cosmos/cosmos-sdk

CVE-2024-25631, GHSA-x989-52fc-4vr4
Affects: github.com/cilium/cilium
Published: Jun 04, 2024
Modified: Aug 19, 2024
Unreviewed

Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium

CVE-2024-25630, GHSA-7496-fgv9-xw82
Affects: github.com/cilium/cilium
Published: Jun 04, 2024
Modified: Aug 19, 2024
Unreviewed

Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium

GHSA-fqpg-rq76-99pq
Affects: github.com/jackc/pgx/v5
Published: Jul 02, 2024
Modified: Jul 09, 2024

Pipeline can panic when PgConn is busy or closed.

CVE-2024-24776, GHSA-r833-w756-h5p2
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

CVE-2024-21495, GHSA-c7vf-m394-m4x4
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Use of Insufficiently Random Values in github.com/greenpau/caddy-security

CVE-2024-21493, GHSA-8h95-jcp5-pjpr
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Improper Validation of Array Index in github.com/greenpau/caddy-security

CVE-2024-21500, GHSA-vfph-hjfv-cpv2
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security

CVE-2024-21499, GHSA-r969-783f-6jqr
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security

CVE-2024-21498, GHSA-93x8-66j2-wwr5
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Server-Side Request Forgery in github.com/greenpau/caddy-security

CVE-2024-21497, GHSA-8hp3-rmr7-xh88
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Open Redirect in github.com/greenpau/caddy-security

CVE-2024-21496, GHSA-ff72-ff42-c3gw
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Cross-site Scripting in github.com/greenpau/caddy-security

CVE-2024-21494, GHSA-vj36-3ccr-6563
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Authentication Bypass by Spoofing in github.com/greenpau/caddy-security

CVE-2024-21492, GHSA-vp66-gf7w-9m4x
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

Insufficient Session Expiration in github.com/greenpau/caddy-security

CVE-2024-23448, GHSA-8r33-q5j5-rh7g
Affects: github.com/elastic/apm-server
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/elastic/apm-server before v8.12.1.

CVE-2024-25620, GHSA-v53g-5gjp-272r
Affects: helm.sh/helm/v3
Published: Feb 29, 2024
Modified: May 20, 2024

Path traversal in helm.sh/helm/v3

CVE-2020-7924, GHSA-6cwm-wm82-hgrw
Affects: github.com/mongodb/mongo-tools
Published: Jun 28, 2024
Modified: Jul 09, 2024

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates. NOTE: this module uses its own versioning scheme that is not fully compatible with standard Go module versioning, so the affected versions in this report may differ from the versions listed in other advisories. According to the advisory, the affected versions are as follows: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

CVE-2023-52430, GHSA-xwmv-cx7p-fqfc
Affects: github.com/greenpau/caddy-security
Published: Jun 28, 2024
Unreviewed

caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security

CVE-2024-1402, GHSA-32h7-7j94-8fc2
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

CVE-2024-24774, GHSA-qr8f-cjw7-838m
Affects: github.com/mattermost/mattermost-plugin-jira
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-plugin-jira before v4.0.0-rc1.

CVE-2024-23319, GHSA-4fp6-574p-fc35
Affects: github.com/mattermost/mattermost-plugin-jira
Published: Mar 18, 2024
Modified: Jul 09, 2024

Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira

CVE-2024-1329, GHSA-c866-8gpw-p3mv
Affects: github.com/hashicorp/nomad
Published: Mar 04, 2024
Modified: May 20, 2024

Symlink attack in github.com/hashicorp/nomad

CVE-2023-22649, GHSA-xfj7-qf8w-2gcr
Affects: github.com/rancher/rancher
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.6.0 before v2.6.14, from v2.7.0 before v2.7.10, from v2.8.0 before v2.8.2.

CVE-2023-32193, GHSA-r8f4-hv23-6qp6
Affects: github.com/rancher/norman
Published: Feb 20, 2024
Modified: May 20, 2024

Cross-site scripting in public API in github.com/rancher/norman

CVE-2023-32194, GHSA-c85r-fwc7-45vc
Affects: github.com/rancher/rancher
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.6.0 before v2.6.14, from v2.7.0 before v2.7.10, from v2.8.0 before v2.8.2.

CVE-2023-32192, GHSA-833m-37f7-jq55
Affects: github.com/rancher/apiserver
Published: Feb 15, 2024
Modified: May 20, 2024

Unauthenticated cross-site scripting in github.com/rancher/apiserver

CVE-2024-1052, GHSA-vh73-q3rw-qx7w
Affects: github.com/hashicorp/boundary
Published: Jun 28, 2024
Unreviewed

Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary

CVE-2024-24768, GHSA-9xfw-jjq2-7v8h
Affects: github.com/1Panel-dev/1Panel
Published: Jun 28, 2024
Unreviewed

1Panel set-cookie is missing the Secure keyword in github.com/1Panel-dev/1Panel

GHSA-vjg6-93fv-qv64
Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

GHSA-pm3m-32r3-7mfh
Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Etcd embed auto compaction retention negative value causing a compaction loop or a crash in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

GHSA-j86v-2vjr-fg8f
Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

GHSA-5x4g-q5rc-36jp
Affects: go.etcd.io/etcd
Published: Jun 28, 2024
Modified: Jul 09, 2024

The TLS ciphers list supported by etcd contains insecure cipher suites. Users may specify that an insecure cipher is used via “--cipher-suites” flag. A list of secure suites is used by default.

CVE-2020-11110, GHSA-xr3x-62qw-vc4w
Affects: github.com/grafana/grafana
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana stored XSS in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v6.7.2.

CVE-2019-14271, GHSA-v2cv-wwxq-qq97
Affects: github.com/docker/docker, github.com/moby/moby
Published: Jun 28, 2024
Modified: Jul 15, 2024

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

CVE-2020-24303, GHSA-mvpr-q6rh-8vrp
Affects: github.com/grafana/grafana
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.1.0-beta1.

CVE-2020-12459, GHSA-m25m-5778-fm22
Affects: github.com/grafana/grafana
Published: Jul 02, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana world readable configuration files in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v6.0.0 before v7.2.1.

CVE-2020-12245, GHSA-ccmg-w4xm-p28v
Affects: github.com/grafana/grafana
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana XSS in header column rename in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v6.7.3.

CVE-2018-18624, GHSA-9hv8-4frf-cprf
Affects: github.com/grafana/grafana
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana XSS via a column style in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.0.0.

CVE-2020-13430, GHSA-7m2x-qhrq-rp8h
Affects: github.com/grafana/grafana
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.0.0.

CVE-2020-25816, GHSA-57gg-cj55-q5g2
Affects: github.com/hashicorp/vault
Published: Jun 28, 2024
Unreviewed

Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault

CVE-2020-12458, GHSA-3jq7-8ph8-63xm
Affects: github.com/grafana/grafana
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Grafana information disclosure in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.2.1.

CVE-2024-24557, GHSA-xw73-rw38-6vjc
Affects: github.com/docker/docker, github.com/moby/moby
Published: Jun 28, 2024
Modified: Jul 01, 2024

Classic builder cache poisoning in github.com/docker/docker

CVE-2024-0831, GHSA-vgh3-mwxq-rcp8
Affects: github.com/hashicorp/vault
Published: Jun 28, 2024
Unreviewed

Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault

CVE-2018-12099, GHSA-v5gq-qvjq-8p53
Affects: github.com/grafana/grafana
Published: Jun 28, 2024
Unreviewed

Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

CVE-2021-3282, GHSA-rq95-xf66-j689
Affects: github.com/hashicorp/vault
Published: Jun 28, 2024
Unreviewed

Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault

CVE-2020-35177, GHSA-rpgp-9hmg-j25x
Affects: github.com/hashicorp/vault
Published: Jun 28, 2024
Unreviewed

Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault

CVE-2020-28053, GHSA-6m72-467w-94rh
Affects: github.com/hashicorp/consul
Published: Jun 28, 2024
Unreviewed

Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul

CVE-2020-25201, GHSA-496g-fr33-whrf
Affects: github.com/hashicorp/consul
Published: Jun 28, 2024
Unreviewed

Denial of service in HashiCorp Consul in github.com/hashicorp/consul

CVE-2021-41091, GHSA-3fwx-pjgw-3558
Affects: github.com/docker/docker, github.com/moby/moby
Published: Jun 28, 2024
Modified: Jul 01, 2024

Moby (Docker Engine) Insufficiently restricted permissions on data directory in github.com/docker/docker

CVE-2024-24747, GHSA-xx8w-mq23-29g4
Affects: github.com/minio/minio
Published: Jun 28, 2024
Unreviewed

Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio

CVE-2024-23653, GHSA-wr6v-9f75-vh2g
Affects: github.com/moby/buildkit
Published: Feb 07, 2024
Modified: May 20, 2024

BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.

CVE-2023-44312, GHSA-r8xp-52mq-rmm8
Affects: github.com/apache/servicecomb-service-center
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/apache/servicecomb-service-center before v2.2.0.

CVE-2023-44313, GHSA-9xc9-xq7w-vpcr
Affects: github.com/apache/servicecomb-service-center
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/apache/servicecomb-service-center before v2.2.0.

CVE-2024-23652, GHSA-4v98-7qmw-rqr8
Affects: github.com/moby/buildkit
Published: Feb 12, 2024
Modified: May 20, 2024

A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.

CVE-2024-23651, GHSA-m3r6-h7wv-7xxv
Affects: github.com/moby/buildkit
Published: Feb 13, 2024
Modified: May 20, 2024

Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.

CVE-2024-23650, GHSA-9p26-698r-w4hx
Affects: github.com/moby/buildkit
Published: Feb 12, 2024
Modified: May 20, 2024

A malicious BuildKit client or frontend could craft a request that could lead to a BuildKit daemon crashing with a panic.

CVE-2024-21626, GHSA-xr7r-f8xq-vfvv
Affects: github.com/opencontainers/runc
Published: Jun 28, 2024
Modified: Jul 01, 2024

Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc

CVE-2024-24579, GHSA-hpxr-w9w7-g4gv
Affects: github.com/anchore/stereoscope
Published: Feb 13, 2024
Modified: May 20, 2024

It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory.

CVE-2020-16251, GHSA-4mp7-2m29-gqxf
Affects: github.com/hashicorp/vault
Published: Jun 28, 2024
Unreviewed

HashiCorp Vault Authentication bypass in github.com/hashicorp/vault

CVE-2020-10660, GHSA-m979-w9wj-qfj9
Affects: github.com/hashicorp/vault
Published: Jun 28, 2024
Unreviewed

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

CVE-2020-10661, GHSA-j6vv-vv26-rh7c
Affects: github.com/hashicorp/vault
Published: Jun 28, 2024
Unreviewed

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

CVE-2018-18625, GHSA-6wh2-8hw7-jw94
Affects: github.com/grafana/grafana
Published: Jun 28, 2024
Unreviewed

Grafana XSS via adding a link in General feature in github.com/grafana/grafana

CVE-2024-23840, GHSA-h3q2-8whx-c29h
Affects: github.com/goreleaser/goreleaser
Published: Feb 13, 2024
Modified: May 20, 2024

Secret values can be printed to the --debug log when using a a custom publisher.

CVE-2024-23827, GHSA-xvq9-4vpv-227m
Affects: github.com/0xJacky/Nginx-UI
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/0xJacky/Nginx-UI before v2.0.0-beta.12.

CVE-2024-23828, GHSA-qcjq-7f7v-pvc8
Affects: github.com/0xJacky/Nginx-UI
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/0xJacky/Nginx-UI before v2.0.0-beta.12.

CVE-2024-23647, GHSA-mrx3-gxjx-hjqj
Affects: goauthentik.io
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Authentik vulnerable to PKCE downgrade attack in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: goauthentik.io before v2023.8.7, from v2023.10.0 before v2023.10.7.

CVE-2023-52354, GHSA-g4x3-mfpj-f335
Affects: blitiri.com.ar/go/chasquid
Published: Jun 28, 2024
Unreviewed

chasquid HTTP Request/Response Smuggling vulnerability in github.com/albertito/chasquid in blitiri.com.ar/go/chasquid

CVE-2024-23820, GHSA-rxpw-85vw-fx87
Affects: github.com/openfga/openfga
Published: Jun 28, 2024
Unreviewed

OpenFGA denial of service in github.com/openfga/openfga

CVE-2024-23656, GHSA-gr79-9v6v-gc9r
Affects: github.com/dexidp/dex
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.

CVE-2024-23332, GHSA-57wx-m636-g3g8
Affects: github.com/notaryproject/notation
Published: Jun 28, 2024
Unreviewed

Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry

GHSA-qr8r-m495-7hc4
Affects: github.com/cometbft/cometbft
Published: Jan 23, 2024
Modified: May 20, 2024

A vulnerability in CometBFT’s validation logic for VoteExtensionsEnableHeight can result in a chain halt when triggered through a governance parameter change proposal on an ABCI2 Application Chain. If a parameter change proposal including a VoteExtensionsEnableHeight modification is passed, nodes running the affected versions may panic, halting the network.

GHSA-f6jh-hvg2-9525
Affects: github.com/kudelskisecurity/crystals-go
Published: Jan 17, 2024
Modified: Jun 03, 2024

Kyberslash timing attack possible in github.com/kudelskisecurity/crystals-go

CVE-2022-3328, GHSA-cjqf-877p-7m3f
Affects: github.com/snapcore/snapd
Published: Jun 05, 2024
Modified: Jul 09, 2024
Unreviewed

snapd Race Condition vulnerability in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.57.6.

CVE-2023-49568, GHSA-mw99-9chc-xw7r
Affects: gopkg.in/src-d/go-git.v4, github.com/go-git/go-git/v5
Published: Jan 23, 2024
Modified: May 20, 2024

Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4

CVE-2024-22197, GHSA-pxmr-q2x3-9x9m
Affects: github.com/0xJacky/Nginx-UI
Published: Jan 17, 2024
Modified: May 20, 2024

Remote command execution in github.com/0xJacky/Nginx-UI

CVE-2024-22196, GHSA-h374-mm57-879c
Affects: github.com/0xJacky/Nginx-UI
Published: Jan 17, 2024
Modified: May 20, 2024

SQL injection in github.com/0xJacky/Nginx-UI

CVE-2024-22198, GHSA-8r25-68wm-jw35
Affects: github.com/0xJacky/Nginx-UI
Published: Jan 30, 2024
Modified: May 20, 2024

Arbitrary command execution in github.com/0xJacky/Nginx-UI

CVE-2024-22199, GHSA-4mq2-gc4j-cmw6
Affects: github.com/gofiber/template/django/v3
Published: Jan 17, 2024
Modified: May 20, 2024

Cross-site scripting in github.com/gofiber/template/django/v3

CVE-2023-49295, GHSA-ppxx-5m9h-6vxf
Affects: github.com/quic-go/quic-go
Published: Jan 23, 2024
Modified: May 20, 2024

Denial of service via path validation in github.com/quic-go/quic-go

CVE-2023-6476, GHSA-p4rx-7wvg-fwrc
Affects: github.com/cri-o/cri-o
Published: Jun 28, 2024
Unreviewed

CRI-O's pods can break out of resource confinement on cgroupv2 in github.com/cri-o/cri-o

CVE-2023-49619, GHSA-f899-4mr4-fqpv
Affects: github.com/apache/incubator-answer
Published: Jun 28, 2024
Unreviewed

Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer

CVE-2023-49569, GHSA-449p-3h89-pw88
Affects: gopkg.in/src-d/go-git.v4, github.com/go-git/go-git/v5
Published: Jan 23, 2024
Modified: May 20, 2024

Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4

CVE-2024-21664, GHSA-pvcr-v8j8-j5q3
Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
Published: Jan 23, 2024
Modified: May 20, 2024

Panic due to nil pointer dereference in github.com/lestrrat-go/jwx/v2

GHSA-9763-4f94-gfch
Affects: github.com/cloudflare/circl
Published: Jan 18, 2024
Modified: May 20, 2024

Timing side channel in github.com/cloudflare/circl

Affects: github.com/bincyber/go-sqlcrypter
Published: Jan 30, 2024
Modified: May 20, 2024

There is a risk of an IV collision using the awskms or aesgcm provider. NIST SP 800-38D section 8.3 states that it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. The limit could easily be reached given the use case of database column encryption. Ciphertexts are likely to be persisted and stored together. IV collision could enable an attacker with access to the ciphertexts to decrypt all messages encrypted with the affected key. The aesgcm provider cannot be fixed without a breaking change, so users should not encrypt more than 2^32 values with any key. The awskms package can be fixed without a breaking change by switching to a counter-based IV.

CVE-2023-47858, GHSA-w88v-pjr8-cmv2
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Sep 06, 2024
Unreviewed

Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v7.8.10; github.com/mattermost/mattermost/server/v8 before v8.1.1.

GHSA-vfxf-76hv-v4w4
Affects: github.com/gravitational/teleport
Published: Jun 28, 2024
Modified: Aug 19, 2024
Withdrawn: Jan 23, 2024
Unreviewed

(withdrawn)

CVE-2023-48732, GHSA-q7rx-w656-fwmv
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

GHSA-hw4x-mcx5-9q36
Affects: github.com/gravitational/teleport
Published: Jun 28, 2024
Modified: Aug 19, 2024
Withdrawn: Jan 23, 2024
Unreviewed

(withdrawn)

CVE-2023-7113, GHSA-h3gq-j7p9-x3p4
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

GHSA-c9v7-wmwj-vf6x
Affects: github.com/gravitational/teleport
Published: Jun 28, 2024
Modified: Aug 19, 2024
Withdrawn: Jan 23, 2024
Unreviewed

(withdrawn)

CVE-2023-50333, GHSA-9w97-9rqx-8v4j
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

GHSA-76cc-p55w-63g3
Affects: github.com/gravitational/teleport
Published: Jun 28, 2024
Modified: Aug 19, 2024
Withdrawn: Jan 23, 2024
Unreviewed

(withdrawn)

GHSA-7xg2-83f8-39mr
Affects: github.com/karmada-io/karmada
Published: Jun 28, 2024
Unreviewed

The DES/3DES cipher was used as part of the TLS protocol by installation tools in github.com/karmada-io/karmada

CVE-2023-43741, GHSA-r5hg-349q-mg2q
Affects: github.com/buildkite/elastic-ci-stack-for-aws, github.com/buildkite/elastic-ci-stack-for-aws/v5, and 1 more
Published: Jun 28, 2024
Unreviewed

Buildkite Elastic CI for AWS time-of-check-time-of-use race condition vulnerability in github.com/buildkite/elastic-ci-stack-for-aws

CVE-2023-46742, GHSA-vwch-g97w-hfg2
Affects: github.com/cubefs/cubefs
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

CubeFS leaks users key in logs in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

CVE-2023-46741, GHSA-8h2x-gr2c-c275
Affects: github.com/cubefs/cubefs
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

CVE-2023-46739, GHSA-8579-7p32-f398
Affects: github.com/cubefs/cubefs
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

CVE-2023-46740, GHSA-4248-p65p-hcrm
Affects: github.com/cubefs/cubefs
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Insecure random string generator used for sensitive data in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

CVE-2023-46738, GHSA-qc6v-g3xw-grmx
Affects: github.com/cubefs/cubefs
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

CVE-2023-5044, GHSA-fp9f-44c2-cw27
Affects: k8s.io/ingress-nginx
Published: Jun 28, 2024
Modified: Jul 09, 2024
Unreviewed

Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: k8s.io/ingress-nginx before v1.9.0.

CVE-2023-52081, GHSA-wpmx-564x-h2mh
Affects: github.com/ewen-lbh/ffcss
Published: Aug 21, 2024
Unreviewed

ewen-lbh/ffcss Late-Unicode normalization vulnerability in github.com/ewen-lbh/ffcss

CVE-2016-15036, GHSA-jpfp-xq3p-4h3r
Affects: github.com/deis/workflow-manager
Published: Aug 21, 2024
Unreviewed

Deis Workflow Manager race condition vulnerability in github.com/deis/workflow-manager

CVE-2023-51442, GHSA-wq59-4q6r-635r
Affects: github.com/navidrome/navidrome
Published: Aug 21, 2024
Unreviewed

Authentication bypass vulnerability in navidrome's subsonic endpoint in github.com/navidrome/navidrome

CVE-2023-49922, GHSA-hj4r-2c9c-29h3
Affects: github.com/elastic/beats/v7
Published: Jan 03, 2024
Modified: May 20, 2024

Sensitive information logged in github.com/elastic/beats/v7

GHSA-7ww5-4wqc-m92c
Affects: github.com/containerd/containerd
Published: Jan 02, 2024
Modified: May 20, 2024

RAPL accessibility in github.com/containerd/containerd

CVE-2023-50658, GHSA-mhpq-9638-x6pw, and 1 more
Affects: github.com/dvsekhvalnov/jose2go
Published: Dec 20, 2023
Modified: Jul 02, 2024

An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.

CVE-2023-48795, GHSA-45x7-px36-x8w8
Affects: golang.org/x/crypto
Published: Dec 18, 2023
Modified: May 20, 2024

A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. This protocol weakness was also fixed in OpenSSH 9.6.

CVE-2023-50424, GHSA-92cg-ghq6-9587, and 1 more
Affects: github.com/sap/cloud-security-client-go
Published: Dec 16, 2023
Modified: May 20, 2024

An unauthenticated attacker can obtain arbitrary permissions within the application under certain conditions.

CVE-2023-6337, GHSA-6p62-6cg9-f5f5
Affects: github.com/hashicorp/vault
Published: Jan 03, 2024
Modified: May 20, 2024

Unauthenticated and authenticated HTTP requests from a client will be attempted to be mapped to memory. Large requests may result in the exhaustion of available memory on the host, which may cause crashes and denial of service.

GHSA-4rgc-5g6r-2rjf
Affects: github.com/treeverse/lakefs
Published: Aug 21, 2024
Unreviewed

lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

GHSA-26hr-q2wp-rvc5
Affects: github.com/treeverse/lakefs
Published: Aug 21, 2024
Unreviewed

User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

CVE-2023-50463, GHSA-rxg9-hgq7-8pwx
Affects: github.com/shift72/caddy-geo-ip
Published: Jan 02, 2024
Modified: May 20, 2024

The caddy-geo-ip (aka GeoIP) middleware for Caddy 2 allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

GHSA-v7hc-87jc-qrrr
Affects: knative.dev/eventing-github
Published: Aug 21, 2024
Unreviewed

eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations in knative.dev/eventing-github

CVE-2023-45292, GHSA-5mmw-p5qv-w3x5
Affects: github.com/mojocn/base64Captcha
Published: Dec 08, 2023
Modified: May 20, 2024

When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.

CVE-2023-26154, GHSA-5844-q3fc-56rh
Affects: github.com/pubnub/go, github.com/pubnub/go/v5, and 3 more
Published: Jan 02, 2024
Modified: May 20, 2024

There is insufficient entropy in the implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt functions are less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. Users are encouraged to migrate to the new crypto package introduced in v7.2.0.

CVE-2023-45285
Affects: cmd/go
Published: Dec 06, 2023
Modified: May 20, 2024

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

CVE-2023-39326
Affects: net/http/internal
Published: Dec 06, 2023
Modified: May 20, 2024

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

CVE-2023-47124, GHSA-8g85-whqh-cr2f
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik

CVE-2023-49292, GHSA-8j98-cjfr-qx3h
Affects: github.com/ecies/go/v2
Published: Dec 11, 2023
Modified: May 20, 2024

An attacker may be able to recover private keys due to a bug in the ECDH function. The library does not check whether the provided public key is on the curve, which means that an attacker can create a public key that is not on the curve and use it to recover the private key. A workaround is to manually check that the public key is valid by calling the IsOnCurve function from the secp256k1 libraries.

CVE-2023-49290, GHSA-7f9x-gw85-8grf
Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
Published: Dec 11, 2023
Modified: May 20, 2024

The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive. However, if an attacker sets the p2c parameter in JWE to a very large number, it can cause excessive computational consumption.

GHSA-j3rq-4xjw-xg63
Affects: github.com/edgelesssys/marblerun
Published: Aug 21, 2024
Unreviewed

Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks

CVE-2023-47633, GHSA-6fwg-jrfw-ff7p
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Traefik docker container using 100% CPU in github.com/traefik/traefik

CVE-2023-47106, GHSA-fvhj-4qfh-q2hm
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass in github.com/traefik/traefik

CVE-2023-45287
Affects: crypto/tls
Published: Dec 05, 2023
Modified: May 20, 2024

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

CVE-2023-48713, GHSA-qmvj-4qr9-v547
Affects: knative.dev/serving
Published: Aug 21, 2024
Unreviewed

Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler in knative.dev/serving

CVE-2023-48312, GHSA-fpvw-6m5v-hqfp
Affects: github.com/projectcapsule/capsule-proxy
Published: Aug 21, 2024
Unreviewed

Capsule Proxy Authentication bypass using an empty token in github.com/projectcapsule/capsule-proxy

CVE-2023-2980, GHSA-j327-c69h-4gh8
Affects: github.com/pydio/cells, github.com/pydio/cells/v4
Published: Aug 21, 2024
Unreviewed

Abstrium Pydio Cells Resource Injection vulnerability in github.com/pydio/cells

CVE-2023-5528, GHSA-hq6q-c2x6-hmch
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes

CVE-2023-47630, GHSA-3hfq-cx9j-923w
Affects: github.com/kyverno/kyverno
Published: Aug 21, 2024
Unreviewed

Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno

CVE-2023-42816, GHSA-4mp4-46gq-hv3r
Affects: github.com/kyverno/kyverno
Published: Aug 21, 2024
Unreviewed

Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno

CVE-2023-42815, GHSA-hjpv-68f4-2262
Affects: github.com/kyverno/kyverno
Published: Aug 21, 2024
Unreviewed

Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno

CVE-2023-42814, GHSA-9g37-h7p2-2c6r
Affects: github.com/kyverno/kyverno
Published: Aug 21, 2024
Unreviewed

Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno

CVE-2023-42813, GHSA-wc3x-5rfv-hh5v
Affects: github.com/kyverno/kyverno
Published: Aug 21, 2024
Unreviewed

Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno

GHSA-2c7c-3mj9-8fqh
Affects: github.com/go-jose/go-jose/v3, github.com/square/go-jose
Published: Nov 21, 2023
Modified: May 20, 2024

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

GHSA-rjjm-x32p-m3f7
Affects: github.com/consensys/gnark
Published: Nov 15, 2023
Modified: May 20, 2024

Range checker gadget allows wider inputs than allowed in github.com/consensys/gnark

CVE-2023-47122, GHSA-xvrc-2wvh-49vc
Affects: github.com/sigstore/gitsign
Published: Aug 21, 2024
Unreviewed

Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign

CVE-2023-47108, GHSA-8pgv-569h-w5rw
Affects: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
Published: Jun 27, 2024

The grpc Unary Server Interceptor created by the otelgrpc package added the labels net.peer.sock.addr and net.peer.sock.port with unbounded cardinality. This can lead to the server's potential memory exhaustion when many malicious requests are sent. This leads to a denial-of-service.

CVE-2023-3676, GHSA-7fxm-f474-hf8w
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Kubernetes privilege escalation vulnerability in k8s.io/kubernetes

CVE-2023-5954, GHSA-4qhc-v8r6-8vwm
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault

CVE-2023-45286, GHSA-xwh9-gc39-5298
Affects: github.com/go-resty/resty/v2
Published: Nov 27, 2023
Modified: May 20, 2024

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

GHSA-r2xv-vpr2-42m9
Affects: github.com/slsa-framework/slsa-verifier, github.com/slsa-framework/slsa-verifier/v2
Published: Aug 21, 2024
Unreviewed

slsa-verifier vulnerable to mproper validation of npm's publish attestations in github.com/slsa-framework/slsa-verifier

CVE-2023-45284
Affects: path/filepath
Published: Nov 08, 2023
Modified: May 20, 2024

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.

CVE-2023-45283
Affects: path/filepath, internal/safefilepath, and 1 more
Published: Nov 08, 2023
Modified: May 20, 2024

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.

CVE-2023-46737, GHSA-vfp6-jrw2-99g9
Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
Published: Nov 09, 2023
Modified: May 20, 2024

An attacker who controls a remote registry can return a high number of attestations and/or signatures to cosign. This can cause cosign to enter a long loop resulting in a denial of service, i.e., endless data attack.

CVE-2023-3893, GHSA-r6cc-7wj7-gfx2
Affects: github.com/kubernetes-csi/csi-proxy, github.com/kubernetes-csi/csi-proxy/v2
Published: Aug 21, 2024
Unreviewed

Kubernetes csi-proxy vulnerable to privilege escalation due to improper input validation in github.com/kubernetes-csi/csi-proxy

CVE-2023-3955, GHSA-q78c-gwqw-jcmc
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Kubernetes privilege escalation vulnerability in k8s.io/kubernetes

CVE-2023-46255, GHSA-jg7w-cxjv-98c2
Affects: github.com/authzed/spicedb
Published: Aug 21, 2024
Unreviewed

SpiceDB leaks information in log files when URI cannot be parsed in github.com/authzed/spicedb

CVE-2023-46129, GHSA-mr45-rx8q-wcm9
Affects: github.com/nats-io/nkeys
Published: Nov 02, 2023
Modified: May 20, 2024

Curve KeyPairs always use the same (all-zeros) key to encrypt data, and provide no security.

CVE-2023-41891, GHSA-r847-6w6h-r8g4
Affects: github.com/flyteorg/flyteadmin
Published: Nov 02, 2023
Modified: May 20, 2024

A malicious user can send a REST request to a List endpoint with filters that contain custom SQL statements. This can result in SQL injection.

CVE-2023-46239, GHSA-3q6m-v84f-6p9h
Affects: github.com/quic-go/quic-go
Published: Nov 02, 2023
Modified: May 20, 2024

The QUIC handshake can cause a panic when processing a certain sequence of frames. A malicious peer can deliberately trigger this panic.

CVE-2021-25736, GHSA-35c7-w35f-xwgh
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes

CVE-2023-4457, GHSA-37x5-qpm8-53rq
Affects: github.com/grafana/google-sheets-datasource
Published: Nov 02, 2023
Modified: May 20, 2024

Error messages for the Google Sheets data source plugin were improperly sanitized. The Google Sheet API-key could potentially be exposed.

GHSA-w6rp-vxj2-fjhr
Affects: github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v4, github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v5, and 1 more
Published: Aug 21, 2024
Unreviewed

Cosmos packet-forward-middleware vulnerable to chain-halt in github.com/cosmos/ibc-apps/middleware/packet-forward-middleware

GHSA-m425-mq94-257g
Affects: google.golang.org/grpc
Published: Nov 01, 2023
Modified: May 20, 2024

An attacker can send HTTP/2 requests, cancel them, and send subsequent requests. This is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit, grpc.MaxConcurrentStreams. This results in a denial of service due to resource consumption.

CVE-2023-45825, GHSA-q24m-6h38-5xj8
Affects: github.com/ydb-platform/ydb-go-sdk/v3
Published: Oct 24, 2023
Modified: May 20, 2024

A custom credentials object that does not implement the fmt.Stringer interface may leak sensitive information (e.g., credentials) via logs.

CVE-2023-45823, GHSA-hmq4-c2r4-5q8h
Affects: github.com/artifacthub/hub
Published: Aug 21, 2024
Unreviewed

Artifact Hub arbitrary file read vulnerability in github.com/artifacthub/hub

CVE-2023-45821, GHSA-g6pq-x539-7w4j
Affects: github.com/artifacthub/hub
Published: Aug 21, 2024
Unreviewed

Artifact Hub has Incorrect Docker Hub registry check in github.com/artifacthub/hub

CVE-2023-45822, GHSA-9pc8-m4vp-ggvf
Affects: github.com/artifacthub/hub
Published: Aug 21, 2024
Unreviewed

Artifact Hub allows unsafe rego built-in in github.com/artifacthub/hub

CVE-2023-47090, GHSA-fr2g-9hjm-wr23
Affects: github.com/nats-io/nats-server/v2
Published: Oct 24, 2023
Modified: May 20, 2024

Without any authorization rules in the nats-server, users can connect without authentication. Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside accounts go into the newer "accounts" block. If an "accounts" block is defined, in simple deployment scenarios this is often used only to enable client access to the system account. When the only account added is the system account "$SYS", the nats-server would create an implicit user in "$G" and set it as the "no_auth_user" account, enabling the same "without authentication" logic as without any rules. This preserved the ability to connect simply, and then add one authenticated login for system access. But with an "authorization" block, this is wrong. Users exist in the global account, with login rules. And in simple testing, they might still connect fine without administrators seeing that authentication has been disabled. In the fixed versions, using an "authorization" block will inhibit the implicit creation of a "$G" user and setting it as the "no_auth_user" target. In unfixed versions, just creating a second account, with no users, will also inhibit this behavior.

CVE-2023-1943, GHSA-8gwj-m6vh-2g6j
Affects: k8s.io/kops
Published: Aug 21, 2024
Unreviewed

kOps privilege escalation vulnerability in k8s.io/kops

CVE-2023-45810, GHSA-hr4f-6jh8-f2vq
Affects: github.com/openfga/openfga
Published: Aug 21, 2024
Unreviewed

OpenFGA DoS vulnerability in github.com/openfga/openfga

GHSA-7p92-x423-vwj6
Affects: github.com/consensys/gnark
Published: Oct 24, 2023
Modified: May 20, 2024

A a third party may derive a valid proof from a valid initial tuple {proof, public_inputs}, corresponding to the same public inputs as the initial proof. This vulnerability is due to randomness being generated using a small part of the scratch memory describing the state, allowing for degrees of freedom in the transcript. Note that the impact is limited to the PlonK verifier smart contract.

CVE-2023-45141, GHSA-mv73-f69x-444p
Affects: github.com/gofiber/fiber/v2
Published: Oct 24, 2023
Modified: May 20, 2024

A cross-site request forgery vulnerability can allow an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The CSRF token is validated against tokens in storage but was is not tied to the original requestor that generated it, allowing for token reuse.

CVE-2023-45128, GHSA-94w9-97p3-p368
Affects: github.com/gofiber/fiber/v2
Published: Oct 24, 2023
Modified: May 20, 2024

A cross-site request forgery vulnerability in this package can allow an attacker to inject arbitrary values and forge malicious requests on behalf of a user. The attacker may inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. For 'safe' methods, the token is extracted from the cookie and saved to storage without further validation or sanitization. In addition, the CSRF token is validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.

CVE-2023-45683, GHSA-267v-3v32-g6q5
Affects: github.com/crewjam/saml
Published: Oct 24, 2023
Modified: May 20, 2024

The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim's browser loads the SAML IdP initiated SSO link for the malicious service provider.

CVE-2023-45142, GHSA-rcjv-mgp8-qvmr
Affects: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful, go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin, and 5 more
Published: Oct 16, 2023
Modified: May 20, 2024

Memory exhaustion in go.opentelemetry.io/contrib/instrumentation

CVE-2023-20902, GHSA-mq6f-5xh5-hgcf
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

Harbor timing attack risk in github.com/goharbor/harbor

CVE-2023-39325, GHSA-4374-p667-p6c8
Affects: net/http, golang.org/x/net
Published: Oct 11, 2023
Modified: May 20, 2024

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

GHSA-pffg-92cg-xf5c
Affects: github.com/consensys/gnark-crypto
Published: Oct 09, 2023
Modified: May 20, 2024

Incorrect exponentiation results in github.com/consensys/gnark-crypto

CVE-2023-44378, GHSA-498w-5j49-vqjg
Affects: github.com/consensys/gnark
Published: Oct 09, 2023
Modified: May 20, 2024

Unsoundness in variable comparison / non-unique binary decomposition in github.com/consensys/gnark

CVE-2023-43809, GHSA-mc97-99j4-vm2v
Affects: github.com/charmbracelet/soft-serve
Published: Aug 21, 2024
Unreviewed

Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled in github.com/charmbracelet/soft-serve

CVE-2023-44273, GHSA-9xfq-8j3r-xp5g
Affects: github.com/consensys/gnark-crypto
Published: Oct 05, 2023
Modified: May 20, 2024

Signature malleability in github.com/consensys/gnark-crypto

CVE-2023-39323
Affects: cmd/go
Published: Oct 05, 2023
Modified: May 20, 2024

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

CVE-2023-5077, GHSA-86c6-3g63-5w64
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault

CVE-2023-40026, GHSA-6jqw-jwf5-rp8h
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd

CVE-2023-43645, GHSA-2hm9-h873-pgqh
Affects: github.com/openfga/openfga
Published: Aug 21, 2024
Unreviewed

OpenFGA Vulnerable to DoS from circular relationship definitions in github.com/openfga/openfga

CVE-2023-41333, GHSA-4xp2-w642-7mcx
Affects: github.com/cilium/cilium
Published: Aug 21, 2024
Unreviewed

Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

CVE-2023-41332, GHSA-24m5-r6hv-ccgp
Affects: github.com/cilium/cilium
Published: Aug 21, 2024
Unreviewed

Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

CVE-2023-39347, GHSA-gj2r-phwg-6rww
Affects: github.com/cilium/cilium
Published: Aug 21, 2024
Unreviewed

Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

CVE-2023-43644, GHSA-r5hm-mp3j-285g
Affects: github.com/sagernet/sing
Published: Oct 02, 2023
Modified: May 20, 2024

Authentication bypass in github.com/sagernet/sing

CVE-2022-3962, GHSA-6f4m-j56w-55c3
Affects: github.com/kiali/kiali
Published: Aug 21, 2024
Unreviewed

Kiali content spoofing vulnerability in github.com/kiali/kiali

CVE-2023-42821, GHSA-m9xq-6h2j-65r2
Affects: github.com/gomarkdown/markdown
Published: Sep 22, 2023
Modified: May 20, 2024

Parser out-of-bounds read caused by a malformed markdown input in github.com/gomarkdown/markdown

CVE-2023-43619, GHSA-ppjh-xp5v-46wc
Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
Published: Aug 21, 2024
Unreviewed

Croc sender may send dangerous new files to receiver in github.com/schollz/croc

CVE-2023-43617, GHSA-hp56-xvf4-g6wr
Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
Published: Aug 21, 2024
Unreviewed

Cros secrets may be disclosed to untrusted relay in github.com/schollz/croc

CVE-2023-43616, GHSA-8c8w-f7wp-2jr2
Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
Published: Aug 21, 2024
Unreviewed

Sender can cause a receiver to overwrite files during ZIP extraction in Croc in github.com/schollz/croc

CVE-2023-43618, GHSA-7mp6-929p-pqhj
Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
Published: Aug 21, 2024
Unreviewed

Croc requires senders to provide local IP addresses in cleartext in github.com/schollz/croc

CVE-2023-43621, GHSA-7g3v-4ggr-xvjf
Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
Published: Aug 21, 2024
Unreviewed

Croc may expose secret to local users in github.com/schollz/croc

CVE-2023-43620, GHSA-364c-vvqx-446c
Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
Published: Aug 21, 2024
Unreviewed

Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device in github.com/schollz/croc

CVE-2023-37279, GHSA-x4hh-vjm7-g2jv
Affects: github.com/contribsys/faktory
Published: Aug 21, 2024
Unreviewed

Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input in github.com/contribsys/faktory

CVE-2022-28357, GHSA-vpjc-4jcv-jc29
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
Published: Aug 21, 2024
Unreviewed

NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server

CVE-2023-5036, GHSA-2g7r-9xq5-c6hv
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

Cross-Site Request Forgery (CSRF) in usememos/memos in github.com/usememos/memos

CVE-2023-4680, GHSA-v84f-6r39-cpfc
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

HashiCorp Vault Improper Input Validation vulnerability in github.com/hashicorp/vault

CVE-2023-4782, GHSA-h626-pv66-hhm7
Affects: github.com/hashicorp/terraform
Published: Aug 21, 2024
Unreviewed

Terraform allows arbitrary file write during the `init` operation in github.com/hashicorp/terraform

CVE-2023-41318, GHSA-5crw-6j7v-xc72
Affects: github.com/turt2live/matrix-media-repo
Published: Aug 21, 2024
Unreviewed

matrix-media-repo: Unsafe media served inline on download endpoints in github.com/turt2live/matrix-media-repo

CVE-2023-41338, GHSA-3q5p-3558-364f
Affects: github.com/gofiber/fiber/v2
Published: Sep 12, 2023
Modified: May 20, 2024

The Ctx.IsFromLocal function can incorrectly report a request as being sent from localhost when the request contains an X-Forwarded-For header containing a localhost IP address.

CVE-2023-4815, GHSA-pj2h-85jq-g5vg
Affects: github.com/answerdev/answer
Published: Aug 21, 2024
Unreviewed

Answer Missing Authentication for Critical Function in github.com/answerdev/answer

CVE-2023-40584, GHSA-g687-f2gx-6wm8
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd

CVE-2023-40029, GHSA-fwr2-64vr-xv9m
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd

GHSA-6xv5-86q9-7xr8
Affects: github.com/cyphar/filepath-securejoin
Published: Sep 13, 2023
Modified: May 20, 2024

Certain rootfs and path combinations result in generated paths that are outside of the provided rootfs on Windows.

CVE-2023-40591, GHSA-ppjg-v974-84cm
Affects: github.com/ethereum/go-ethereum
Published: Oct 25, 2023
Modified: May 20, 2024

Unbounded memory consumption in github.com/ethereum/go-ethereum

CVE-2023-39322
Affects: crypto/tls
Published: Sep 07, 2023
Modified: May 20, 2024

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

CVE-2023-39321
Affects: crypto/tls
Published: Sep 07, 2023
Modified: May 20, 2024

Processing an incomplete post-handshake message for a QUIC connection can cause a panic.

CVE-2023-39319
Affects: html/template
Published: Sep 07, 2023
Modified: May 20, 2024

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

CVE-2023-39320
Affects: cmd/go
Published: Sep 07, 2023
Modified: May 20, 2024

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

CVE-2023-39318
Affects: html/template
Published: Sep 07, 2023
Modified: May 20, 2024

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.

CVE-2023-4696, GHSA-j2gj-g3p9-7mrr
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos in github.com/usememos/memos

CVE-2023-4697, GHSA-5j6p-59cj-j6cp
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to privilege escalation in github.com/usememos/memos

CVE-2023-40579, GHSA-jcf2-mxr2-gmqp
Affects: github.com/openfga/openfga
Published: Aug 21, 2024
Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

CVE-2023-37469, GHSA-92vc-4fcw-g68q
Affects: github.com/IceWhaleTech/CasaOS
Published: Aug 21, 2024
Unreviewed

CasaOS Command Injection vulnerability in github.com/IceWhaleTech/CasaOS

CVE-2023-32079, GHSA-826j-8wp2-4x6q
Affects: github.com/gravitl/netmaker
Published: Aug 21, 2024
Unreviewed

Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User in github.com/gravitl/netmaker

CVE-2023-40583, GHSA-gcq9-qqwx-rgj3
Affects: github.com/libp2p/go-libp2p
Published: Sep 13, 2023
Modified: May 20, 2024

A malicious actor can store an arbitrary amount of data in the memory of a remote node by sending the node a message with a signed peer record. Signed peer records from randomly generated peers can be sent by a malicious actor. This memory does not get garbage collected and so the remote node can run out of memory (OOM).

CVE-2023-32078, GHSA-256m-j5qw-38f4
Affects: github.com/gravitl/netmaker
Published: Aug 21, 2024
Unreviewed

Netmaker IDOR Allows User to Update Other User's Password in github.com/gravitl/netmaker

CVE-2023-32077, GHSA-8x8h-hcq8-jwwx
Affects: github.com/gravitl/netmaker
Published: Aug 21, 2024
Unreviewed

Netmaker has Hardcoded DNS Secret Key in github.com/gravitl/netmaker

CVE-2023-40577, GHSA-v86x-5fm3-5p7j
Affects: github.com/prometheus/alertmanager
Published: Aug 21, 2024
Unreviewed

Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint in github.com/prometheus/alertmanager

CVE-2023-40025, GHSA-c8xw-vjgf-94hr
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Argo CD web terminal session doesn't expire in github.com/argoproj/argo-cd

CVE-2023-38976, GHSA-8697-479h-5mfp
Affects: github.com/weaviate/weaviate
Published: Nov 02, 2023
Modified: May 20, 2024

A type conversion issue in Weaviate may allow a remote attack that would cause a denial of service.

CVE-2023-40034, GHSA-4gcf-5m39-98mc
Affects: github.com/woodpecker-ci/woodpecker
Published: Aug 21, 2024
Unreviewed

Woodpecker does not validate webhook before changing any data in github.com/woodpecker-ci/woodpecker

GHSA-9phh-r37v-34wh
Affects: github.com/treeverse/lakefs
Published: Aug 21, 2024
Unreviewed

lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

CVE-2023-40023, GHSA-xvhg-w6qc-m3qq
Affects: github.com/yaklang/yaklang
Published: Aug 21, 2024
Unreviewed

Yaklang Plugin's Fuzztag Component Allows Unauthorized Local File Reading in github.com/yaklang/yaklang

CVE-2023-39966, GHSA-hf7j-xj3w-87g4
Affects: github.com/1Panel-dev/1Panel
Published: Aug 21, 2024
Unreviewed

1Panel arbitrary file write vulnerability in github.com/1Panel-dev/1Panel

CVE-2023-39965, GHSA-85cf-gj29-f555
Affects: github.com/1Panel-dev/1Panel
Published: Aug 21, 2024
Unreviewed

1Panel Arbitrary File Download vulnerability in github.com/1Panel-dev/1Panel

CVE-2023-39964, GHSA-pv7q-v9mv-9mh5
Affects: github.com/1Panel-dev/1Panel
Published: Aug 21, 2024
Unreviewed

1Panel O&M management panel has a background arbitrary file reading vulnerability in github.com/1Panel-dev/1Panel

GHSA-8c37-7qx3-4c4p
Affects: github.com/supranational/blst
Published: Aug 10, 2023
Modified: May 20, 2024

When complemented with a check for infinity, blst skips performing a signature group-check. Formally speaking, infinity is the identity element of the elliptic curve group and as such it is a member of the group, so the group-check should be performed. The fix performs the check even in the presence of infinity.

CVE-2023-4125, GHSA-j63x-f657-2m9g
Affects: github.com/answerdev/answer
Published: Aug 21, 2024
Unreviewed

Answer has Weak Password Requirements in github.com/answerdev/answer

CVE-2023-39533, GHSA-876p-8259-xjgg
Affects: github.com/libp2p/go-libp2p
Published: Aug 08, 2023
Modified: May 20, 2024

Large RSA keys can lead to resource exhaustion attacks. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits.

CVE-2022-38795, GHSA-8j3v-68w3-3848
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Gitea erroneous repo clones in code.gitea.io/gitea

CVE-2023-37896, GHSA-2xx4-jj5v-6mff
Affects: github.com/projectdiscovery/nuclei/v2
Published: Aug 23, 2023
Modified: May 20, 2024

Improper path sanitization in sandbox mode in github.com/projectdiscovery/nuclei/v2

CVE-2023-4124, GHSA-v9vc-7x69-c2x8
Affects: github.com/answerdev/answer
Published: Aug 21, 2024
Unreviewed

Answer Missing Authorization vulnerability in github.com/answerdev/answer

CVE-2023-4126, GHSA-ggcf-hwxp-rc77
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer Insufficient Session Expiration vulnerability in github.com/answerdev/answer

CVE-2023-4127, GHSA-52h8-c876-989c
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer has Race Condition within a Thread in github.com/answerdev/answer

CVE-2019-1010275, GHSA-x6r5-vxfg-gq3v
Affects: helm.sh/helm
Published: Aug 20, 2024
Unreviewed

Helm Improper Certificate Validation in helm.sh/helm

CVE-2019-11841, GHSA-x3jr-pf6g-c48f
Affects: golang.org/x/crypto
Published: Aug 23, 2023
Modified: May 20, 2024

The clearsign package accepts some malformed messages, making it possible for an attacker to trick a human user (but not a Go program) into thinking unverified text is part of the message. With fix, messages with malformed headers in the SIGNED MESSAGE section are rejected.

CVE-2019-12274, GHSA-gc62-j469-9gjm
Affects: github.com/rancher/rancher
Published: Aug 20, 2024
Unreviewed

Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher

CVE-2023-29407, GHSA-j3p8-6mrq-6g7h
Affects: golang.org/x/image
Published: Aug 02, 2023
Modified: May 20, 2024

A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.

CVE-2023-29408, GHSA-x92r-3vfx-4cv3
Affects: golang.org/x/image
Published: Aug 02, 2023
Modified: May 20, 2024

The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.

CVE-2023-3978, GHSA-2wrh-6pvc-2jm9
Affects: golang.org/x/net
Published: Aug 02, 2023
Modified: May 20, 2024

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

CVE-2023-29409
Affects: crypto/tls
Published: Aug 02, 2023
Modified: May 20, 2024

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

CVE-2023-3462, GHSA-9v3w-w2jh-4hff
Affects: github.com/hashicorp/vault
Published: Aug 20, 2024
Unreviewed

HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault

CVE-2015-7561, GHSA-2h9c-34v6-3qmr
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

Kubernetes in OpenShift3 Access Control Misconfiguration in k8s.io/kubernetes

CVE-2020-24710, GHSA-9c9w-9pq7-f35h
Affects: github.com/gophish/gophish
Published: Aug 20, 2024
Unreviewed

Gophish vulnerable to Server-Side Request Forgery in github.com/gophish/gophish

CVE-2023-38495, GHSA-pj4x-2xr5-w87m
Affects: github.com/crossplane/crossplane
Published: Aug 20, 2024
Unreviewed

Possible image tampering from missing image validation for Packages in github.com/crossplane/crossplane

CVE-2023-37900, GHSA-68p4-95xf-7gx8
Affects: github.com/crossplane/crossplane
Published: Aug 20, 2024
Unreviewed

Denial of service from large image in github.com/crossplane/crossplane

CVE-2017-1002102, GHSA-mm7g-f2gg-cw8g
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

Kubernetes arbitrary file overwrite in k8s.io/kubernetes

CVE-2017-7297, GHSA-w3x4-9854-95x8
Affects: github.com/rancher/rancher
Published: Aug 20, 2024
Unreviewed

Rancher Access Control Vulnerability in github.com/rancher/rancher

CVE-2018-17031, GHSA-px5r-fqj6-r2f8
Affects: gogs.io/gogs
Published: Aug 20, 2024
Unreviewed

Gogs XSS Vulnerability in gogs.io/gogs

CVE-2018-15192, GHSA-fg3x-rwq9-74cw
Affects: code.gitea.io/gitea, gogs.io/gogs
Published: Aug 20, 2024
Unreviewed

Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea

CVE-2023-38496, GHSA-mmx5-32m4-wxvx
Affects: github.com/apptainer/apptainer
Published: Aug 20, 2024
Unreviewed

Ineffective privileges drop when requesting container network in github.com/apptainer/apptainer

CVE-2018-10856, GHSA-wp7w-vx86-vj9h
Affects: github.com/containers/podman, github.com/containers/podman/v2, and 2 more
Published: Aug 20, 2024
Unreviewed

Podman Elevated Container Privileges in github.com/containers/podman

CVE-2018-1002103, GHSA-6pcv-qqx4-mxm3
Affects: k8s.io/minikube
Published: Aug 20, 2024
Unreviewed

Minikube RCE via DNS Rebinding in k8s.io/minikube

CVE-2018-1002100, GHSA-2jq6-ffph-p4h8
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

Kubernetes arbitrary file overwrite in k8s.io/kubernetes

CVE-2023-37916, GHSA-87f6-8gr7-pc6h
Affects: github.com/KubeOperator/kubepi
Published: Aug 20, 2024
Unreviewed

KubePi may leak password hash of any user in github.com/KubeOperator/kubepi

CVE-2023-37917, GHSA-757p-vx43-fp9r
Affects: github.com/KubeOperator/kubepi
Published: Aug 20, 2024
Unreviewed

KubePi Privilege Escalation vulnerability in github.com/KubeOperator/kubepi

CVE-2023-37918, GHSA-59m6-82qm-vqgj
Affects: github.com/dapr/dapr
Published: Aug 20, 2024
Unreviewed

Dapr API token authentication bypass in HTTP endpoints in github.com/dapr/dapr

CVE-2018-21034, GHSA-xj7v-c82w-92q2
Affects: github.com/argoproj/argo-cd
Published: Aug 20, 2024
Unreviewed

Argo Exposure of Sensitive Information in github.com/argoproj/argo-cd

CVE-2018-15598, GHSA-2cjc-rgmp-x649
Affects: github.com/traefik/traefik
Published: Aug 20, 2024
Unreviewed

Traefik Missing Authentication in github.com/traefik/traefik

CVE-2019-1000008, GHSA-xrxm-mvqm-r553
Affects: helm.sh/helm
Published: Aug 20, 2024
Unreviewed

Helm Path Traversal in helm.sh/helm

CVE-2019-1002100, GHSA-q4rr-64r9-fwgf
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Modified: Aug 21, 2024
Unreviewed

Kubernetes DoS Vulnerability in k8s.io/kubernetes

CVE-2019-8336, GHSA-fhm8-cxcv-pwvc
Affects: github.com/hashicorp/consul
Published: Aug 20, 2024
Unreviewed

HashiCorp Consul Access Restriction Bypass in github.com/hashicorp/consul

CVE-2019-18466, GHSA-r34v-gqmw-qvgj
Affects: github.com/containers/libpod, github.com/containers/podman, and 3 more
Published: Aug 20, 2024
Unreviewed

Podman Symlink Vulnerability in github.com/containers/libpod

CVE-2023-37788, GHSA-4r8x-2p26-976p
Affects: github.com/elazarl/goproxy
Published: Jul 31, 2023
Modified: May 20, 2024

An invalid request can cause a panic when running in MITM mode.

CVE-2023-37477, GHSA-p9xf-74xh-mhw5
Affects: github.com/1Panel-dev/1Panel
Published: Aug 20, 2024
Unreviewed

1Panel command injection vulnerability in Firewall ip functionality in github.com/1Panel-dev/1Panel

CVE-2020-14457, GHSA-j2h2-cvwh-cr64
Affects: github.com/mattermost/mattermost, github.com/mattermost/mattermost-server, and 1 more
Published: Aug 20, 2024
Unreviewed

Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost

CVE-2019-18658, GHSA-p5pc-m4q7-7qm9
Affects: helm.sh/helm
Published: Aug 20, 2024
Unreviewed

Helm Unsafe Link Following in helm.sh/helm

CVE-2019-16146, GHSA-9h9f-9q8g-6764
Affects: github.com/gophish/gophish
Published: Aug 20, 2024
Unreviewed

Gophish XSS Vulnerability in github.com/gophish/gophish

CVE-2023-37265, GHSA-vjh7-5r6x-xh6g
Affects: github.com/IceWhaleTech/CasaOS-Gateway
Published: Aug 20, 2024
Unreviewed

CasaOS Gateway vulnerable to incorrect identification of source IP addresses in github.com/IceWhaleTech/CasaOS-Gateway

CVE-2023-37266, GHSA-m5q5-8mfw-p2hr
Affects: github.com/IceWhaleTech/CasaOS
Published: Aug 20, 2024
Unreviewed

CasaOS contains weak JWT secrets in github.com/IceWhaleTech/CasaOS

CVE-2023-37475, GHSA-9x44-9pgq-cf45
Affects: github.com/hamba/avro/v2, github.com/hamba/avro
Published: Jul 25, 2023
Modified: May 20, 2024

Unrestricted memory consumption in github.com/hamba/avro

CVE-2019-12618, GHSA-2w2v-xcr9-mj4m
Affects: github.com/hashicorp/nomad
Published: Aug 20, 2024
Unreviewed

Hashicorp Nomad Access Control Issues in github.com/hashicorp/nomad

CVE-2019-10152, GHSA-rh5f-2w6r-q7vj
Affects: github.com/containers/podman
Published: Aug 20, 2024
Unreviewed

Podman Path Traversal Vulnerability leads to arbitrary file read/write in github.com/containers/podman

CVE-2023-34236, GHSA-6hvv-j432-23cv
Affects: github.com/weaveworks/tf-controller
Published: Aug 20, 2024
Unreviewed

Weave GitOps Terraform Controller Information Disclosure Vulnerability in github.com/weaveworks/tf-controller

CVE-2019-13915, GHSA-6452-jr93-r5qm
Affects: github.com/b3log/wide
Published: Aug 20, 2024
Unreviewed

b3log Wide unauthenticated file access in github.com/b3log/wide

CVE-2019-14243, GHSA-85c5-ccm8-vr96
Affects: github.com/mastercactapus/proxyprotocol
Published: Jul 25, 2023
Modified: May 20, 2024

Panic when handling invalid HAProxy PROXY v2 request in github.com/mastercactapus/proxyprotocol

CVE-2019-1010261, GHSA-5rh7-6gfj-mc87
Affects: code.gitea.io/gitea
Published: Aug 20, 2024
Unreviewed

Gitea XSS Vulnerability in code.gitea.io/gitea

CVE-2019-12452, GHSA-r3fq-cmmw-cpmm
Affects: github.com/traefik/traefik
Published: Aug 20, 2024
Unreviewed

Containous Traefik Exposes Password Hashes in github.com/traefik/traefik

CVE-2020-10749, GHSA-fx6x-h9g4-56f8
Affects: github.com/containernetworking/plugins
Published: Aug 20, 2024
Unreviewed

containernetworking/plugins vulnerable to MitM attacks in github.com/containernetworking/plugins

GHSA-f28g-86hc-823q
Affects: github.com/superfly/tokenizer
Published: Jul 25, 2023
Modified: May 20, 2024

Brute-force of token secrets in github.com/superfly/tokenizer

CVE-2023-34458, GHSA-j494-7x2v-vvvp
Affects: github.com/multiversx/mx-chain-go
Published: Aug 20, 2024
Unreviewed

mx-chain-go's relayed transactions always increment nonce in github.com/multiversx/mx-chain-go

CVE-2021-29417, GHSA-4j5x-f394-xx79
Affects: github.com/liamg/gitjacker
Published: Aug 20, 2024
Unreviewed

gitjacker arbitrary code execution in github.com/liamg/gitjacker

CVE-2022-47931, GHSA-cvcx-g7wh-x8rf
Affects: github.com/bnb-chain/tss-lib, github.com/binance-chain/tss-lib
Published: Jul 11, 2023
Modified: May 22, 2024

Collision of hash values in github.com/bnb-chain/tss-lib.

CVE-2023-37264, GHSA-w2h3-vvvq-3m53
Affects: github.com/tektoncd/pipeline
Published: Aug 20, 2024
Unreviewed

Pipelines do not validate child UIDs in github.com/tektoncd/pipeline

CVE-2023-24999, GHSA-wmg5-g953-qqfw
Affects: github.com/hashicorp/vault
Published: Aug 20, 2024
Unreviewed

Hashicorp Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation in github.com/hashicorp/vault

CVE-2023-1296, GHSA-hhvx-8755-4cvw
Affects: github.com/hashicorp/nomad
Published: Aug 20, 2024
Unreviewed

Hashicorp Nomad ACLs Cannot Deny Access to Workload’s Own Variables in github.com/hashicorp/nomad

CVE-2023-0690, GHSA-9vrm-v9xv-x3xr
Affects: github.com/hashicorp/boundary
Published: Aug 20, 2024
Unreviewed

HashiCorp Boundary Workers Store Rotated Credentials in Plaintext Even When Key Management Service Configured in github.com/hashicorp/boundary

CVE-2022-41316, GHSA-9mh8-9j64-443f
Affects: github.com/hashicorp/vault
Published: Aug 20, 2024
Unreviewed

HashiCorp Vault's revocation list not respected in github.com/hashicorp/vault

CVE-2022-32172, GHSA-7j6x-42mm-p7jm
Affects: github.com/zinclabs/zinc
Published: Aug 20, 2024
Unreviewed

Zinc Cross-site Scripting vulnerability in github.com/zinclabs/zinc

CVE-2022-32171, GHSA-4fgv-8448-gf82
Affects: github.com/zinclabs/zinc
Published: Aug 20, 2024
Unreviewed

Zinc Cross-site Scripting vulnerability in github.com/zinclabs/zinc

CVE-2023-3515, GHSA-cf6v-9j57-v6r6
Affects: code.gitea.io/gitea
Published: Aug 20, 2024
Unreviewed

code.gitea.io/gitea Open Redirect vulnerability

CVE-2023-2728, GHSA-cgcv-5272-97pr
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

Kubernetes mountable secrets policy bypass in k8s.io/kubernetes

CVE-2023-2727, GHSA-qc2g-gmh6-95p4
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

kube-apiserver vulnerable to policy bypass in k8s.io/kubernetes

CVE-2023-36458, GHSA-7x2c-fgx6-xf9h
Affects: github.com/1Panel-dev/1Panel
Published: Aug 20, 2024
Unreviewed

1Panel vulnerable to command injection when entering the container terminal in github.com/1Panel-dev/1Panel

CVE-2023-36457, GHSA-q2mx-gpjf-3h8x
Affects: github.com/1Panel-dev/1Panel
Published: Aug 20, 2024
Unreviewed

1Panel vulnerable to command injection when adding container repositories in github.com/1Panel-dev/1Panel

CVE-2023-34451, GHSA-w24w-wp77-qffm
Affects: github.com/cometbft/cometbft
Published: Jul 13, 2023
Modified: May 20, 2024

A bug in the CometBFT middleware causes the mempool's two data structures to fall out of sync. This can lead to duplicate transactions that cannot be removed, even after they are committed in a block. The only way to remove the transaction is to restart the node. This can be exploited by an attacker to bring down a node by repeatedly submitting duplicate transactions.

CVE-2023-34450, GHSA-mvj3-qrqh-cjvr
Affects: github.com/cometbft/cometbft
Published: Jul 06, 2023
Modified: May 20, 2024

An internal modification to the way PeerState is serialized to JSON introduced a deadlock when the new function MarshalJSON is called. This function can be called in two ways. The first is via logs, by setting the consensus logging module to "debug" level (which should not happen in production), and setting the log output format to JSON. The second is via RPC dump_consensus_state.

GHSA-w5w5-2882-47pc
Affects: github.com/cosmos/cosmos-sdk
Published: Jul 06, 2023
Modified: May 20, 2024

If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is not charged. No patch will be released, as the package is planned to be deprecated and replaced.

CVE-2023-3485, GHSA-gm2g-2xr9-pxxj
Affects: go.temporal.io/server
Published: Aug 20, 2024
Unreviewed

Temporal Server vulnerable to Incorrect Authorization and Insecure Default Initialization of Resource in go.temporal.io/server

CVE-2023-29406
Affects: net/http
Published: Jul 11, 2023
Modified: May 20, 2024

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

CVE-2023-40586, GHSA-c2pj-v37r-2p6h
Affects: github.com/corazawaf/coraza/v2, github.com/corazawaf/coraza/v3
Published: Jul 05, 2023
Modified: May 20, 2024

Due to the misuse of log.Fatalf, Coraza may crash after receiving crafted requests from attackers.

CVE-2023-35933, GHSA-hr9r-8phq-5x8j
Affects: github.com/openfga/openfga
Published: Jul 05, 2023
Modified: May 20, 2024

OpenFGA is vulnerable to a denial of service attack when certain Check and ListObjects calls are executed against authorization models that contain circular relationship definitions.

CVE-2023-35930, GHSA-m54h-5x5f-5m6r
Affects: github.com/authzed/spicedb
Published: Aug 20, 2024
Unreviewed

SpiceDB's LookupResources may return partial results in github.com/authzed/spicedb

CVE-2022-47930
Affects: github.com/bnb-chain/tss-lib, github.com/binance-chain/tss-lib
Published: Jul 11, 2023
Modified: May 20, 2024

Replay attacks involving proofs in github.com/bnb-chain/tss-lib.

CVE-2023-34758, CVE-2023-35170, and 1 more
Affects: github.com/bishopfox/sliver
Published: Aug 20, 2024
Unreviewed

Silver vulnerable to MitM attack against implants due to a cryptography vulnerability in github.com/bishopfox/sliver

CVE-2023-35163, GHSA-8rc9-vxjh-qjf2
Affects: code.vegaprotocol.io/vega
Published: Aug 20, 2024
Unreviewed

Vega's validators able to submit duplicate transactions in code.vegaprotocol.io/vega

CVE-2023-2431, GHSA-xc8m-28vv-4pjc
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes

CVE-2023-30625, GHSA-3jmm-f6jj-rcc3
Affects: github.com/rudderlabs/rudder-server
Published: Aug 20, 2024
Unreviewed

rudder-server is vulnerable to SQL injection in github.com/rudderlabs/rudder-server

CVE-2023-34242, GHSA-r7wr-4w5q-55m6
Affects: github.com/cilium/cilium
Published: Aug 20, 2024
Unreviewed

Cilium vulnerable to information leakage via incorrect ReferenceGrant handling in github.com/cilium/cilium

GHSA-j2cr-jc39-wpx5, GHSA-w44m-8mv2-v78h
Affects: github.com/cosmos/cosmos-sdk
Published: Jun 22, 2023
Modified: May 20, 2024

The cosmos-sdk module is affected by the vulnerability codenamed "Barberry".

Affects: github.com/cosmos/ibc-go/v7, github.com/cosmos/ibc-go/v6, and 2 more
Published: Jun 15, 2023
Modified: May 20, 2024

The ibc-go module is affected by the Inter-Blockchain Communication (IBC) protocol "Huckleberry" vulnerability.

GHSA-rm8v-mxj3-5rmq
Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
Published: Jun 22, 2023
Modified: May 20, 2024

AES-CBC decryption is vulnerable to a timing attack which may permit an attacker to recover the plaintext of JWE data.

GHSA-f99h-w337-mv56
Affects: github.com/malfunkt/iprange
Published: Jul 11, 2023
Modified: May 20, 2024

Parsing a range with a mask larger than 32 bits causes a panic.

CVE-2019-9764, GHSA-q7fx-wm2p-qfj8
Affects: github.com/hashicorp/consul
Published: Aug 20, 2024
Unreviewed

HashiCorp Consul vulnerable to Origin Validation Error in github.com/hashicorp/consul

CVE-2019-12291, GHSA-h65h-v7fw-4p38
Affects: github.com/hashicorp/consul
Published: Aug 20, 2024
Unreviewed

HashiCorp Consul Incorrect Access Control vulnerability in github.com/hashicorp/consul

CVE-2020-25864, GHSA-8xmx-h8rq-h94j
Affects: github.com/hashicorp/consul
Published: Aug 20, 2024
Unreviewed

HashiCorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul

CVE-2018-19653, GHSA-4qvx-qq5w-695p
Affects: github.com/hashicorp/consul
Published: Aug 20, 2024
Unreviewed

HashiCorp Consul can use cleartext agent-to-agent RPC communication in github.com/hashicorp/consul

CVE-2023-2121, GHSA-gq98-53rq-qr5h
Affects: github.com/hashicorp/vault
Published: Aug 20, 2024
Unreviewed

Hashicorp Vault vulnerable to Cross-site Scripting in github.com/hashicorp/vault

CVE-2023-29405
Affects: cmd/go, cmd/cgo
Published: Jun 08, 2023
Modified: May 20, 2024

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. Flags containing embedded spaces are mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in the argument of another flag. This only affects usage of the gccgo compiler.

CVE-2023-29404
Affects: cmd/go
Published: Jun 08, 2023
Modified: May 20, 2024

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "#cgo LDFLAGS" directive. The arguments for a number of flags which are non-optional are incorrectly considered optional, allowing disallowed flags to be smuggled through the LDFLAGS sanitization. This affects usage of both the gc and gccgo compilers.

CVE-2023-29403
Affects: runtime
Published: Jun 08, 2023
Modified: May 20, 2024

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

CVE-2023-29402
Affects: cmd/go
Published: Jun 08, 2023
Modified: May 20, 2024

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected).

CVE-2023-33959, GHSA-xhg5-42rf-296r
Affects: github.com/notaryproject/notation-go
Published: Jun 26, 2023
Modified: May 20, 2024

An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.

CVE-2023-33958, GHSA-rvrx-rrwh-r9p6
Affects: github.com/notaryproject/notation
Published: Aug 20, 2024
Unreviewed

Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack in github.com/notaryproject/notation

CVE-2023-33957, GHSA-9m3v-v4r5-ppx7
Affects: github.com/notaryproject/notation
Published: Aug 20, 2024
Unreviewed

Notation vulnerable to denial of service from high number of artifact signatures in github.com/notaryproject/notation

CVE-2023-2816, GHSA-rqjq-ww83-wv5c
Affects: github.com/hashicorp/consul
Published: Aug 20, 2024
Unreviewed

Hashicorp Consul allows user with service:write permissions to patch remote proxy instances in github.com/hashicorp/consul

CVE-2023-1297, GHSA-c57c-7hrj-6q6v
Affects: github.com/hashicorp/consul
Published: Aug 20, 2024
Unreviewed

Hashicorp Consul vulnerable to denial of service in github.com/hashicorp/consul

CVE-2023-34205, GHSA-jqvr-j2vg-gjrv
Affects: github.com/moov-io/signedxml
Published: Jun 09, 2023
Modified: May 20, 2024

Signature validation canonicalizes the input XML document before validating the signature. Parsing the uncanonicalized and canonicalized forms can produce different results. An attacker can exploit this variation to bypass signature validation. Users of signature validation must only parse the canonicalized form of the validated document. The Validator.Validate function does not return the canonical form, and cannot be used safely. Users should only use the Validator.ValidateReferences function and only parse the canonical form which it returns. The Validator.Validate function was removed in github.com/moov-io/signedxml v1.1.0.

GHSA-qfc5-6r3j-jj22
Affects: github.com/cosmos/cosmos-sdk
Published: Jul 05, 2023
Modified: May 20, 2024

If an invariant check fails on a Cosmos SDK network, and a transaction is sent to the x/crisis package to halt the chain, the chain does not halt as originally intended. No patch will be released, as the package is planned to be deprecated and replaced.

CVE-2023-34091, GHSA-hq4m-4948-64cc
Affects: github.com/kyverno/kyverno
Published: Aug 20, 2024
Unreviewed

Kyverno resource with a deletionTimestamp may allow policy circumvention in github.com/kyverno/kyverno

CVE-2023-2981, GHSA-wmfc-g86p-fjvr
Affects: github.com/pydio/cells, github.com/pydio/cells/v4
Published: Aug 20, 2024
Unreviewed

go package pydio cells vulnerable to cross-site scripting in github.com/pydio/cells

CVE-2023-2978, GHSA-mv7x-27pc-8c96
Affects: github.com/pydio/cells, github.com/pydio/cells/v4
Published: Aug 20, 2024
Unreviewed

Go package pydio/cells vulnerable to authorization bypass in github.com/pydio/cells

CVE-2023-33964, GHSA-7xpv-4pm9-xch2
Affects: github.com/multiversx/mx-chain-go
Published: Aug 20, 2024
Unreviewed

mx-chain-go does not treat invalid transaction with wrong username correctly in github.com/multiversx/mx-chain-go

GHSA-hgv6-w7r3-w4qw
Affects: github.com/kyverno/kyverno
Published: Aug 20, 2024
Unreviewed

Kyverno vulnerable due to usage of insecure cipher in github.com/kyverno/kyverno

CVE-2023-32684, GHSA-f7qw-jj9c-rpq9
Affects: github.com/lima-vm/lima
Published: Aug 20, 2024
Unreviewed

In Lima, a malicious disk image could read a single file on the host filesystem as a qcow2/vmdk backing file in github.com/lima-vm/lima

CVE-2023-33191, GHSA-33hq-f2mf-jm3c
Affects: github.com/kyverno/kyverno
Published: Aug 20, 2024
Unreviewed

kyverno seccomp control can be circumvented in github.com/kyverno/kyverno

CVE-2023-33189, GHSA-pvrc-wvj2-f59p
Affects: github.com/pomerium/pomerium
Published: Aug 20, 2024
Unreviewed

Pomerium vulnerable to Incorrect Authorization with specially crafted requests in github.com/pomerium/pomerium

CVE-2023-33199, GHSA-frqx-jfcm-6jjr
Affects: github.com/sigstore/rekor
Published: Aug 20, 2024
Unreviewed

malformed proposed intoto entries can cause a panic in github.com/sigstore/rekor

CVE-2023-2878, GHSA-g82w-58jf-gcxx
Affects: sigs.k8s.io/secrets-store-csi-driver
Published: Aug 20, 2024
Unreviewed

secrets-store-csi-driver discloses service account tokens in logs in sigs.k8s.io/secrets-store-csi-driver

CVE-2018-20744, GHSA-927h-x4qj-r242
Affects: github.com/rs/cors
Published: Jun 08, 2023
Modified: May 20, 2024

The CORS handler actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.

CVE-2023-32698, GHSA-w7jw-q4fg-qc4c
Affects: github.com/goreleaser/nfpm/v2
Published: Jun 01, 2023
Modified: May 20, 2024

When nfpm packages files without additional configuration to enforce its own permissions, the files could be packaged with incorrect permissions (chmod 666 or 777). Anyone who uses nfpm to create packages and does not check or set file permissions before packaging could result in files or folders being packaged with incorrect permissions.

CVE-2023-30851, GHSA-2h44-x2wx-49f4
Affects: github.com/cilium/cilium
Published: Aug 20, 2024
Unreviewed

Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium

CVE-2023-2590, GHSA-qmqw-r4x6-3w2q
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer Missing Authorization vulnerability in github.com/answerdev/answer

CVE-2023-2253, GHSA-hqxw-f8mx-cpmw
Affects: github.com/distribution/distribution
Published: May 24, 2023
Modified: May 20, 2024

Systems that run distribution built after a specific commit running on memory-restricted environments can suffer from denial of service by a crafted malicious /v2/_catalog API endpoint request.

CVE-2023-32080, GHSA-p744-4q6p-hvc2
Affects: github.com/pterodactyl/wings
Published: Aug 20, 2024
Unreviewed

Wings vulnerable to escape to host from installation container in github.com/pterodactyl/wings

CVE-2023-25568, GHSA-m974-xj4j-7qv5, and 1 more
Affects: github.com/ipfs/go-libipfs, github.com/ipfs/go-bitswap
Published: Jun 14, 2023
Modified: May 20, 2024

An attacker can cause a Bitswap server to allocate and leak unbounded amounts of memory.

CVE-2023-1732, GHSA-2q89-485c-9j2x
Affects: github.com/cloudflare/circl
Published: May 24, 2023
Modified: May 20, 2024

When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret. The tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.

CVE-2023-30844, GHSA-jmp2-wc4p-wfh2
Affects: github.com/mutagen-io/mutagen, github.com/mutagen-io/mutagen-compose
Published: Aug 20, 2024
Unreviewed

Mutagen list and monitor operations do not neutralize control characters in text controlled by remote endpoints in github.com/mutagen-io/mutagen

CVE-2023-30840, GHSA-93xx-cvmc-9w3v
Affects: github.com/fluid-cloudnative/fluid
Published: Aug 20, 2024
Unreviewed

On a compromised node, the fluid-csi service account can be used to modify node specs in github.com/fluid-cloudnative/fluid

CVE-2023-30019, GHSA-9x7h-ggc3-xg47
Affects: github.com/imgproxy/imgproxy, github.com/imgproxy/imgproxy/v2, and 1 more
Published: Aug 20, 2024
Unreviewed

imgproxy is vulnerable to Server-Side Request Forgery in github.com/imgproxy/imgproxy

GHSA-fwj4-72fm-c93g
Affects: github.com/mutagen-io/mutagen
Published: Aug 20, 2024
Unreviewed

Under-validated ComSpec and cmd.exe resolution in Mutagen projects in github.com/mutagen-io/mutagen

CVE-2023-30551, GHSA-2h5h-59f5-c5x9
Affects: github.com/sigstore/rekor
Published: Aug 20, 2024
Unreviewed

Rekor's compressed archives can result in OOM conditions in github.com/sigstore/rekor

CVE-2023-29400
Affects: html/template
Published: May 05, 2023
Modified: May 20, 2024

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

CVE-2023-24540
Affects: html/template
Published: May 05, 2023
Modified: May 20, 2024

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

CVE-2023-24539
Affects: html/template
Published: May 05, 2023
Modified: May 20, 2024

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.

GHSA-w9mr-28mw-j8hg
Affects: github.com/ory/oathkeeper
Published: Aug 20, 2024
Unreviewed

Hop-by-hop abuse to malform header mutator in github.com/ory/oathkeeper

CVE-2023-30549, GHSA-j4rf-7357-f4cg
Affects: github.com/apptainer/apptainer
Published: Aug 20, 2024
Unreviewed

Unpatched extfs vulnerabilities are exploitable through suid-mode Apptainer in github.com/apptainer/apptainer

CVE-2023-29401, GHSA-2c4m-59x9-fr2g
Affects: github.com/gin-gonic/gin
Published: May 11, 2023
Modified: May 20, 2024

The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

CVE-2023-30622, GHSA-833c-xh79-p429
Affects: github.com/clusternet/clusternet
Published: Aug 20, 2024
Unreviewed

A potential risk in clusternet which can be leveraged to make a cluster-level privilege escalation in github.com/clusternet/clusternet

CVE-2023-26557
Affects: github.com/bnb-chain/tss-lib, github.com/binance-chain/tss-lib
Published: Jul 11, 2023
Modified: May 20, 2024

Timing attack from non-constant time scalar arithmetic in github.com/bnb-chain/tss-lib.

CVE-2023-26556
Affects: github.com/bnb-chain/tss-lib, github.com/binance-chain/tss-lib
Published: Jul 11, 2023
Modified: May 20, 2024

Timing attack from non-constant time scalar multiplication in github.com/bnb-chain/tss-lib.

CVE-2023-29002, GHSA-pg5p-wwp8-97g8
Affects: github.com/cilium/cilium
Published: Aug 20, 2024
Modified: Aug 21, 2024
Unreviewed

Debug mode leaks confidential data in Cilium in github.com/cilium/cilium

CVE-2023-29193, GHSA-cjr9-mr35-7xh6
Affects: github.com/authzed/spicedb
Published: Aug 20, 2024
Unreviewed

SpiceDB binding metrics port to untrusted networks and can leak command-line flags in github.com/authzed/spicedb

CVE-2023-29018, GHSA-cwf6-xj49-wp83
Affects: github.com/open-feature/open-feature-operator
Published: Aug 20, 2024
Unreviewed

OpenFeature Operator vulnerable to Cluster-level Privilege Escalation in github.com/open-feature/open-feature-operator

CVE-2023-1976, GHSA-j97g-77fj-9c4p
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to account takeover because password reset links do not expire in github.com/answerdev/answer

CVE-2023-1974, GHSA-8jg3-rx43-3fv4
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Exposure of Sensitive Information Through Metadata in github.com/answerdev/answer

CVE-2023-29194, GHSA-735r-hv67-g38f
Affects: vitess.io/vitess
Published: Apr 12, 2023
Modified: May 20, 2024

Users can create a keyspace containing '/'. Future attempts to view keyspaces from some tools (including VTAdmin and "vtctldclient GetKeyspaces") receive an error.

CVE-2023-1975, GHSA-65v8-6pvw-jwvq
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Insertion of Sensitive Information Into Sent Data in github.com/answerdev/answer

CVE-2023-1800, GHSA-xq3x-grrj-fj6x
Affects: github.com/sjqzhang/go-fastdfs
Published: Apr 12, 2023
Modified: May 20, 2024

An attacker can craft a remote request to upload a file to "/group1/upload" that uses path traversal to instead write the file contents to an attacker controlled path on the server.

CVE-2023-25000, GHSA-vq4h-9ghm-qmrr
Affects: github.com/hashicorp/vault
Published: Apr 12, 2023
Modified: May 20, 2024

HashiCorp Vault's implementation of Shamir's secret sharing uses precomputed table lookups, and is vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares.

CVE-2023-0665, GHSA-hwc3-3qh6-r4gg
Affects: github.com/hashicorp/vault
Published: Aug 20, 2024
Unreviewed

HashiCorp Vault's PKI mount vulnerable to denial of service in github.com/hashicorp/vault

CVE-2023-1782, GHSA-f8r8-h93m-mj77
Affects: github.com/hashicorp/nomad
Published: Aug 20, 2024
Unreviewed

HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation in github.com/hashicorp/nomad

CVE-2023-24536
Affects: mime/multipart, net/textproto
Published: Apr 05, 2023
Modified: May 20, 2024

Multipart form parsing can consume large amounts of CPU and memory when processing form inputs containing very large numbers of parts. This stems from several causes: 1. mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form can consume. ReadForm can undercount the amount of memory consumed, leading it to accept larger inputs than intended. 2. Limiting total memory does not account for increased pressure on the garbage collector from large numbers of small allocations in forms with many parts. 3. ReadForm can allocate a large number of short-lived buffers, further increasing pressure on the garbage collector. The combination of these factors can permit an attacker to cause an program that parses multipart forms to consume large amounts of CPU and memory, potentially resulting in a denial of service. This affects programs that use mime/multipart.Reader.ReadForm, as well as form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. With fix, ReadForm now does a better job of estimating the memory consumption of parsed forms, and performs many fewer short-lived allocations. In addition, the fixed mime/multipart.Reader imposes the following limits on the size of parsed forms: 1. Forms parsed with ReadForm may contain no more than 1000 parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxparts=. 2. Form parts parsed with NextPart and NextRawPart may contain no more than 10,000 header fields. In addition, forms parsed with ReadForm may contain no more than 10,000 header fields across all parts. This limit may be adjusted with the environment variable GODEBUG=multipartmaxheaders=.

CVE-2023-24534
Affects: net/textproto
Published: Apr 05, 2023
Modified: May 20, 2024

HTTP and MIME header parsing can allocate large amounts of memory, even when parsing small inputs, potentially leading to a denial of service. Certain unusual patterns of input data can cause the common function used to parse HTTP and MIME headers to allocate substantially more memory than required to hold the parsed headers. An attacker can exploit this behavior to cause an HTTP server to allocate large amounts of memory from a small request, potentially leading to memory exhaustion and a denial of service. With fix, header parsing now correctly allocates only the memory required to hold parsed headers.

CVE-2023-24538
Affects: html/template
Published: Apr 05, 2023
Modified: May 20, 2024

Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template.Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported, but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution.

CVE-2023-24537
Affects: go/scanner
Published: Apr 05, 2023
Modified: May 20, 2024

Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow.

CVE-2023-28842, GHSA-6wrf-mxfj-pf5p
Affects: github.com/docker/docker
Published: Aug 20, 2024
Unreviewed

Docker Swarm encrypted overlay network with a single endpoint is unauthenticated in github.com/docker/docker

CVE-2023-28841, GHSA-33pg-m6jh-5237
Affects: github.com/docker/docker
Published: Aug 20, 2024
Unreviewed

Docker Swarm encrypted overlay network traffic may be unencrypted in github.com/docker/docker

CVE-2023-28840, GHSA-232p-vwff-86mp
Affects: github.com/docker/docker
Published: Aug 20, 2024
Unreviewed

Docker Swarm encrypted overlay network may be unauthenticated in github.com/docker/docker

CVE-2023-0620, GHSA-v3hp-mcj5-pg39
Affects: github.com/hashicorp/vault
Published: Aug 20, 2024
Unreviewed

HashiCorp Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File in github.com/hashicorp/vault

CVE-2023-28642, GHSA-g2j6-57v7-gm8c
Affects: github.com/opencontainers/runc
Published: Aug 20, 2024
Unreviewed

runc AppArmor bypass with symlinked /proc in github.com/opencontainers/runc

CVE-2023-25809, GHSA-m8cg-xc2p-r3fc
Affects: github.com/opencontainers/runc
Published: Aug 20, 2024
Unreviewed

rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc in github.com/opencontainers/runc

CVE-2023-0778, GHSA-qwqv-rqgf-8qh8
Affects: github.com/containers/podman/v4
Published: Apr 03, 2023
Modified: May 20, 2024

A Time-of-check Time-of-use (TOCTOU) flaw appears in this version of podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.

CVE-2023-28436, GHSA-vfgq-g5x8-g595
Affects: tailscale.com
Published: Aug 20, 2024
Unreviewed

Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group ID of the tailscaled process in tailscale.com

CVE-2022-41354, GHSA-2q5c-qw9c-fmvq
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 20, 2024
Unreviewed

Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd

CVE-2023-28119, GHSA-5mqj-xc49-246p
Affects: github.com/crewjam/saml
Published: Aug 23, 2023
Modified: May 20, 2024

Denial of service via deflate compression bomb in github.com/crewjam/saml

CVE-2023-1536, GHSA-xvfj-84vc-hrmf
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Stored Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1538, GHSA-rvjp-8qj4-8p29
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer has Observable Timing Discrepancy in github.com/answerdev/answer

CVE-2023-1542, GHSA-r95w-7cpx-h5mx
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Business Logic Errors in github.com/answerdev/answer

CVE-2023-1537, GHSA-hwj7-frgj-7829
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Authentication Bypass by Capture-replay in github.com/answerdev/answer

CVE-2023-1541, GHSA-h2wg-83fc-xvm9
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Business Logic Errors in github.com/answerdev/answer

CVE-2023-1539, GHSA-g44v-6qfm-f6ch
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer has Guessable CAPTCHA in github.com/answerdev/answer

CVE-2023-1535, GHSA-83qr-c7m9-wmgw
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Stored Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1543, GHSA-79hx-g43v-xfmr
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Insufficient Session Expiration in github.com/answerdev/answer

CVE-2023-1540, GHSA-6x5v-cxpp-pc5x
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer has Observable Response Discrepancy in github.com/answerdev/answer

CVE-2023-28114, GHSA-6f27-3p6c-p5jc
Affects: github.com/cilium/cilium-cli
Published: Aug 20, 2024
Unreviewed

`cilium-cli` disables etcd authorization for clustermesh clusters in github.com/cilium/cilium-cli

CVE-2023-1314, GHSA-7mjv-x3jf-545x
Affects: github.com/cloudflare/cloudflared
Published: Aug 20, 2024
Unreviewed

cloudflared's Installer has Local Privilege Escalation Vulnerability in github.com/cloudflare/cloudflared

CVE-2023-1496, GHSA-ch9g-x9j7-rcgp
Affects: github.com/imgproxy/imgproxy, github.com/imgproxy/imgproxy/v2, and 1 more
Published: Aug 20, 2024
Unreviewed

imgproxy Cross-site Scripting vulnerability in github.com/imgproxy/imgproxy

CVE-2023-27595, GHSA-r5x6-w42p-jhpp
Affects: github.com/cilium/cilium
Published: Aug 20, 2024
Unreviewed

Cilium eBPF filters may be temporarily removed during agent restart in github.com/cilium/cilium

CVE-2023-27594, GHSA-8fg8-jh2h-f2hc
Affects: github.com/cilium/cilium
Published: Aug 20, 2024
Unreviewed

Potential network policy bypass when routing IPv6 traffic in github.com/cilium/cilium

CVE-2023-28105, GHSA-5g39-ppwg-6xx8
Affects: github.com/dablelv/go-huge-util
Published: Aug 23, 2023
Modified: May 20, 2024

Path traversal when unzipping files in github.com/dablelv/go-huge-util

CVE-2023-0845, GHSA-wj6x-hcc2-f32j
Affects: github.com/hashicorp/consul
Published: Aug 20, 2024
Unreviewed

Consul Server Panic when Ingress and API Gateways Configured with Peering Connections in github.com/hashicorp/consul

CVE-2023-1299, GHSA-rqm8-q8j9-662f
Affects: github.com/hashicorp/nomad
Published: Aug 20, 2024
Unreviewed

Nomad Job Submitter Privilege Escalation Using Workload Identity in github.com/hashicorp/nomad

CVE-2023-24535, GHSA-hw7c-3rfg-p46j
Affects: google.golang.org/protobuf
Published: Mar 14, 2023
Modified: May 20, 2024

Parsing invalid messages can panic. Parsing a text-format message which contains a potential number consisting of a minus sign, one or more characters of whitespace, and no further input will cause a panic.

CVE-2023-27582, GHSA-4g76-w3xw-2x6w
Affects: github.com/foxcpp/maddy
Published: Aug 20, 2024
Unreviewed

Full authentication bypass if SASL authorization username is specified in github.com/foxcpp/maddy

CVE-2022-3294, GHSA-jh36-q97c-9928
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

Kubernetes vulnerable to validation bypass in k8s.io/kubernetes

CVE-2022-3162, GHSA-2394-5535-8j88
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

Kubernetes vulnerable to path traversal in k8s.io/kubernetes

CVE-2023-27561, GHSA-vpvm-3wq2-2wvm
Affects: github.com/opencontainers/runc
Published: Aug 20, 2024
Unreviewed

Opencontainers runc Incorrect Authorization vulnerability in github.com/opencontainers/runc

CVE-2023-27483, GHSA-vfvj-3m3g-m532
Affects: github.com/crossplane/crossplane-runtime
Published: Mar 13, 2023
Modified: May 20, 2024

An out of memory panic vulnerability exists in the crossplane-runtime libraries. Applications that use the Paved type's SetValue method with user-provided input that is not properly validated might use excessive amounts of memory and cause an out of memory panic. In the fieldpath package, the Paved.SetValue method sets a value on the Paved object according to the provided path, without any validation. This allows setting values in slices at any provided index, which grows the target array up to the requested index. The index is currently capped at max uint32 (4294967295), a large value. If callers do not validate paths' indexes on their own, this could allow users to consume arbitrary amounts of memory. Applications that do not use the Paved type's SetValue method are not affected. Users unable to upgrade can work around this issue by parsing and validating the path before passing it to the SetValue method of the Paved type, constraining the index size as deemed appropriate.

GHSA-6w5f-5wgr-qjg5
Affects: github.com/edgelesssys/constellation, github.com/edgelesssys/constellation/v2
Published: Aug 20, 2024
Unreviewed

Constellation allows Emergency shell access during initramfs boot phase in github.com/edgelesssys/constellation

CVE-2023-24532
Affects: crypto/internal/nistec
Published: Mar 08, 2023
Modified: May 20, 2024

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not impact usages of crypto/ecdsa or crypto/ecdh.

CVE-2023-1239, GHSA-vxhr-p2vp-7gf8
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1242, GHSA-qrwm-xqfr-4vhv
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1244, GHSA-h85v-cx5m-78wj
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1241, GHSA-ff27-hrmr-ggpj
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1237, GHSA-9v4v-9fj5-p982
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1243, GHSA-8jh8-33f5-cgfp
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1238, GHSA-5w78-v688-cx9q
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1240, GHSA-55vm-3vq3-4jpc
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-1245, GHSA-6c32-3x46-m9rh
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2023-27475, GHSA-fx2v-qfhr-4chv
Affects: github.com/gookit/goutil
Published: Mar 08, 2023
Modified: May 20, 2024

fsutil.Unzip is vulnerable to path traversal attacks due to improper validation of paths.

GHSA-wxwq-525w-hcqx
Affects: github.com/fkie-cad/yapscan
Published: Aug 20, 2024
Unreviewed

Yapscan Denial of Service vulnerability in report server in github.com/fkie-cad/yapscan

CVE-2023-26483, GHSA-6gc3-crp7-25w5
Affects: github.com/russellhaering/gosaml2
Published: Mar 03, 2023
Modified: May 20, 2024

A bug in SAML authentication library can result in Denial of Service attacks. Attackers can craft a "deflate"-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed.

CVE-2023-26047, GHSA-p2pf-g8cq-3gq5
Affects: github.com/kitabisa/teler-waf
Published: Mar 02, 2023
Modified: May 20, 2024

Improper handling of payload with special characters, such as CR/LF and horizontal tab, can lead to execution of arbitrary JavaScript code.

CVE-2023-26046, GHSA-9f95-hhg4-pg4f
Affects: github.com/kitabisa/teler-waf
Published: Mar 02, 2023
Modified: May 20, 2024

Improper sanitization and filtering of HTML entities in user input can lead to cross-site scripting (XSS) attacks where arbitrary JavaScript code is executed in the browser.

CVE-2022-2024, GHSA-pfvh-p8qp-9ww9
Affects: gogs.io/gogs
Published: Aug 20, 2024
Unreviewed

Gogs OS Command Injection vulnerability in gogs.io/gogs

CVE-2023-24533, GHSA-f6hc-9g49-xmx7
Affects: filippo.io/nistec
Published: Feb 28, 2023
Modified: May 20, 2024

Multiplication of certain unreduced P-256 scalars produce incorrect results. There are no protocols known at this time that can be attacked due to this.

CVE-2023-0934, GHSA-6cvf-m58q-h9wf
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Cross-site Scripting in github.com/answerdev/answer

CVE-2015-10085, GHSA-wr8h-w969-36m8
Affects: github.com/gopistolet/gopistolet
Published: Aug 20, 2024
Unreviewed

GoPistolet vulnerable to Improper Resource Shutdown or Release in github.com/gopistolet/gopistolet

CVE-2023-25656, GHSA-87x9-7grx-m28v
Affects: github.com/notaryproject/notation-go
Published: Jul 11, 2023
Modified: May 20, 2024

Parsing PKIX distinguished names containing the string "=#" can cause excessive memory consumption.

GHSA-r2h5-3hgw-8j34
Affects: github.com/edgelesssys/constellation, github.com/edgelesssys/constellation/v2
Published: Aug 20, 2024
Unreviewed

User data in TPM attestation vulnerable to MITM in github.com/edgelesssys/constellation

CVE-2021-32163, GHSA-5vx9-j5cw-47vq
Affects: mosn.io/mosn
Published: Aug 20, 2024
Unreviewed

Privilege escalation in MOSN in mosn.io/mosn

CVE-2023-0821, GHSA-w479-w22g-cffh
Affects: github.com/hashicorp/nomad
Published: Aug 20, 2024
Unreviewed

Uncontrolled Resource Consumption in Hashicorp Nomad in github.com/hashicorp/nomad

CVE-2023-0475, GHSA-jpxj-2jvg-6jv9
Affects: github.com/hashicorp/go-getter/v2, github.com/hashicorp/go-getter
Published: Feb 17, 2023
Modified: May 20, 2024

HashiCorp go-getter is vulnerable to decompression bombs. This can lead to excessive memory consumption and denial-of-service attacks.

CVE-2023-23947, GHSA-3jfq-742w-xg8j
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 20, 2024
Unreviewed

Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd

CVE-2023-25173, GHSA-hmfx-3pcx-653p
Affects: github.com/containerd/containerd
Published: Feb 17, 2023
Modified: Aug 21, 2024

Supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases and potentially escalate privileges in the container. Uses of the containerd client library may also have improperly setup supplementary groups.

CVE-2023-25153, GHSA-259w-8hf6-59c2
Affects: github.com/containerd/containerd
Published: Feb 17, 2023
Modified: Aug 21, 2024

When importing an OCI image, there was no limit on the number of bytes read from the io.Reader passed into ImportIndex. A large number of bytes could be read from this and could cause a denial of service.

CVE-2022-41727, GHSA-qgc7-mgm3-q253
Affects: golang.org/x/image
Published: Feb 16, 2023
Modified: May 20, 2024

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

CVE-2022-41723, GHSA-vvpx-j8f3-3w6h
Affects: net/http, golang.org/x/net
Published: Feb 16, 2023
Modified: May 20, 2024

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

CVE-2022-41724
Affects: crypto/tls
Published: Feb 16, 2023
Modified: May 20, 2024

Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).

CVE-2022-41725
Affects: mime/multipart
Published: Feb 21, 2023
Modified: May 20, 2024

A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.

CVE-2022-41722
Affects: path/filepath
Published: Feb 16, 2023
Modified: May 20, 2024

A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean function could transform an invalid path such as "a/../c:/b" into the valid path "c:\b". This transformation of a relative (if invalid) path into an absolute path could enable a directory traversal attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid) path ".\c:\b".

CVE-2022-28923, GHSA-qpm3-vr34-h8w8
Affects: github.com/caddyserver/caddy/v2
Published: Feb 16, 2023
Modified: May 20, 2024

Due to improper request sanitization, a crafted URL can cause the static file handler to redirect to an attacker chosen URL, allowing for open redirect attacks.

CVE-2022-25978, GHSA-9w8x-5hv5-r6gw
Affects: github.com/usememos/memos
Published: Feb 15, 2023
Modified: May 20, 2024

A malicious actor can introduce links starting with a "javascript:" scheme due to insufficient checks on external resources. This can be used as a part of Cross-site Scripting (XSS) attack.

CVE-2022-47762, GHSA-x623-hr8h-7g5v
Affects: github.com/flipped-aurora/gin-vue-admin
Published: Aug 20, 2024
Unreviewed

Path Traversal in gin-vue-admin in github.com/flipped-aurora/gin-vue-admin

CVE-2023-23631, GHSA-4gj3-6r43-3wfc
Affects: github.com/ipfs/go-unixfsnode
Published: Feb 14, 2023
Modified: May 20, 2024

Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by a bogus fanout parameter in the HAMT directory nodes. There are no known workarounds (users are advised to upgrade).

CVE-2023-23626, GHSA-2h6c-j3gf-xp9r
Affects: github.com/ipfs/go-bitfield
Published: Feb 14, 2023
Modified: May 20, 2024

When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics. This happens when the size is a not a multiple of 8 or is negative. A workaround is to ensure size%8 == 0 && size >= 0 yourself before calling NewBitfield or FromBytes.

CVE-2023-23625, GHSA-q264-w97q-q778
Affects: github.com/ipfs/go-unixfs
Published: Feb 14, 2023
Modified: May 20, 2024

Trying to read malformed HAMT sharded directories can cause panics and virtual memory leaks. If you are reading untrusted user input, an attacker can then trigger a panic. This is caused by bogus "fanout" parameter in the HAMT directory nodes. A workaround is to not feed untrusted user data to the decoding functions.

CVE-2023-25168, GHSA-66p8-j459-rq63
Affects: github.com/pterodactyl/wings
Published: Aug 20, 2024
Unreviewed

Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system in github.com/pterodactyl/wings

CVE-2023-0742, GHSA-rmw8-7823-wp7f
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer contains Cross-site Scripting vulnerability in github.com/answerdev/answer

CVE-2023-0739, GHSA-qx34-47fc-vv79
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer vulnerable to Race Condition in github.com/answerdev/answer

CVE-2023-0741, GHSA-p7wj-c85f-xq9h
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer has Cross-site Scripting vulnerability in github.com/answerdev/answer

CVE-2023-0743, GHSA-hjmr-xm25-36mh
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer subject to Cross-site Scripting vulnerability in github.com/answerdev/answer

CVE-2023-0744, GHSA-4cwh-8w4g-jxxh
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Answer contains Improper Access Control vulnerability in github.com/answerdev/answer

CVE-2023-0229, GHSA-5465-xc2j-6p84
Affects: github.com/openshift/apiserver-library-go
Published: Feb 16, 2023
Modified: May 20, 2024

Low-privileged users can set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default," allowing users to disable seccomp for pods they can create and modify.

CVE-2023-25163, GHSA-mv6w-j4xc-qpfw
Affects: github.com/argoproj/argo-cd/v2
Published: Feb 15, 2023
Modified: May 20, 2024

Argo CD has an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have "applications, create" or "applications, update" RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has "repositories, update" access, they may edit an existing repository to introduce a URL typo or otherwise force an error message.

CVE-2023-25165, GHSA-pwcw-6f5g-gxf8
Affects: helm.sh/helm/v3
Published: Feb 14, 2023
Modified: May 20, 2024

An information disclosure vulnerability exists in the getHostByName template function. The function getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with "helm install|upgrade|template" or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.

CVE-2023-25151, GHSA-5r5m-65gx-7vrh
Affects: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
Published: Apr 05, 2023
Modified: May 20, 2024

The otelhttp package of opentelemetry-go-contrib is vulnerable to a denial-of-service attack. The otelhttp package uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.request_content_length, http.server.response_content_length, and http.server.duration instruments. The ServerRequest function sets the http.target attribute value to be the whole request URI (including the query string). The metric instruments do not "forget" previous measurement attributes when "cumulative" temporality is used, meaning that the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.

CVE-2020-1726, GHSA-vmhj-p9hw-vgrf
Affects: github.com/containers/libpod, github.com/containers/libpod/v2
Published: Aug 20, 2024
Unreviewed

Podman has Files or Directories Accessible to External Parties in github.com/containers/libpod

CVE-2023-25307, GHSA-r887-gfxh-m9rr
Affects: github.com/nothub/mrpack-install
Published: Aug 20, 2024
Unreviewed

mrpack-install vulnerable to path traversal with dependency in github.com/nothub/mrpack-install

CVE-2023-25152, GHSA-p8r3-83r8-jwj5
Affects: github.com/pterodactyl/wings
Published: Aug 20, 2024
Unreviewed

Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following in github.com/pterodactyl/wings

CVE-2023-0740, GHSA-65px-4cpf-697r
Affects: github.com/answerdev/answer
Published: Aug 20, 2024
Unreviewed

Cross-site scripting vulnerability found in answerdev/answer in github.com/answerdev/answer

GHSA-hxp2-xqf3-v83h
Affects: github.com/pion/dtls/v2
Published: Feb 13, 2023
Modified: May 20, 2024

Unmarshalling a Server Hello can panic, which could allow a denial of service.

GHSA-4xgv-j62q-h3rj
Affects: github.com/pion/dtls/v2
Published: Feb 13, 2023
Modified: May 20, 2024

Unmarshalling a Hello Verify request can panic, which could allow a denial of service.

CVE-2023-24827, GHSA-jp7v-3587-2956
Affects: github.com/anchore/syft
Published: Aug 20, 2024
Unreviewed

Credential disclosure in syft when SYFT_ATTEST_PASSWORD environment variable set in github.com/anchore/syft

CVE-2023-0242, GHSA-g5vm-525q-r66c
Affects: www.velocidex.com/golang/velociraptor
Published: Aug 20, 2024
Unreviewed

Velociraptor vulnerable to Missing Authorization in www.velocidex.com/golang/velociraptor

CVE-2023-24623, GHSA-v9mp-j8g7-2q6m
Affects: github.com/hakobe/paranoidhttp
Published: Feb 14, 2023
Modified: May 20, 2024

Paranoidhttp before is vulnerable to SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.

GHSA-x477-fq37-q5wr
Affects: fortio.org/proxy
Published: Aug 20, 2024
Unreviewed

Initial debug-host handler implementation could leak information and facilitate denial of service in fortio.org/proxy

CVE-2023-22482, GHSA-q9hr-j4rf-8fjc
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 20, 2024
Unreviewed

JWT audience claim is not verified in github.com/argoproj/argo-cd

CVE-2022-31249, GHSA-qrg7-hfx7-95c5
Affects: github.com/rancher/wrangler
Published: Feb 14, 2023
Modified: May 20, 2024

A command injection vulnerability exists in the Wrangler Git package. Specially crafted commands can be passed to Wrangler that will change their behavior and cause confusion when executed through Git, resulting in command injection in the underlying host. A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.

CVE-2022-43756, GHSA-8fcj-gf77-47mg
Affects: github.com/rancher/wrangler
Published: Feb 14, 2023
Modified: May 20, 2024

A denial of service (DoS) vulnerability exists in the Wrangler Git package. Specially crafted Git credentials can result in a denial of service (DoS) attack on an application that uses Wrangler due to the exhaustion of the available memory and CPU resources. This is caused by a lack of input validation of Git credentials before they are used, which may lead to a denial of service in some cases. This issue can be triggered when accessing both private and public Git repositories. A workaround is to sanitize input passed to the Git package to remove potential unsafe and ambiguous characters. Otherwise, the best course of action is to update to a patched Wrangler version.

CVE-2023-22736, GHSA-6p4m-hw2h-6gmw
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 20, 2024
Unreviewed

Controller reconciles apps outside configured namespaces when sharding is enabled in github.com/argoproj/argo-cd

CVE-2022-46959, GHSA-2x48-p6cq-5xcw
Affects: github.com/go-sonic/sonic
Published: Aug 20, 2024
Unreviewed

Path Traversal in github.com/go-sonic/sonic

CVE-2022-47747, GHSA-hj4g-4w36-x8hp
Affects: github.com/uber/kraken
Published: May 17, 2023
Modified: May 20, 2024

kraken contains an arbitrary file read vulnerability via component testfs.

CVE-2023-22726, GHSA-pc99-qmg4-rcff
Affects: github.com/nektos/act
Published: Aug 20, 2024
Unreviewed

act vulnerable to arbitrary file upload in artifact server in github.com/nektos/act

CVE-2023-0290, GHSA-7jf5-fvgf-48c6
Affects: www.velocidex.com/golang/velociraptor
Published: Aug 20, 2024
Unreviewed

Velociraptor subject to Path Traversal in www.velocidex.com/golang/velociraptor

CVE-2022-23538, GHSA-7p8m-22h4-9pj7
Affects: github.com/sylabs/scs-library-client, github.com/sylabs/scs-library-client
Published: Feb 01, 2023
Modified: May 20, 2024

When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider.

CVE-2022-41721, GHSA-fxg5-wq6x-vr4w
Affects: golang.org/x/net
Published: Jan 13, 2023
Modified: May 20, 2024

A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

CVE-2014-125064, GHSA-g7mw-9pf9-p2pm
Affects: github.com/elgs/gosqljson
Published: Feb 01, 2023
Modified: May 20, 2024

There is a potential for SQL injection through manipulation of the sqlStatement argument.

CVE-2017-1000056, GHSA-2jx2-76rc-2v7v
Affects: k8s.io/kubernetes
Published: Aug 20, 2024
Unreviewed

Kubernetes Privilege Escalation in k8s.io/kubernetes

GHSA-3244-8mff-w398
Affects: github.com/gotify/server, github.com/gotify/server/v2
Published: Aug 20, 2024
Unreviewed

Reflected XSS in Gotify's /docs via import of outdated Swagger UI in github.com/gotify/server

CVE-2023-0110, GHSA-x22v-qgm2-7qc7
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

CVE-2023-22479, GHSA-v4w5-r2xc-7f8h
Affects: github.com/KubeOperator/kubepi
Published: Aug 20, 2024
Unreviewed

KubePi session fixation attack allows an attacker to hijack a legitimate user session. in github.com/KubeOperator/kubepi

CVE-2023-0111, GHSA-h2ph-9r76-37v5
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

CVE-2023-22478, GHSA-gqx8-hxmv-c4v4
Affects: github.com/KubeOperator/kubepi
Published: Aug 20, 2024
Unreviewed

KubePi may allow unauthorized access to system API in github.com/KubeOperator/kubepi

CVE-2023-0108, GHSA-fpjc-cxr6-w6h8
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

CVE-2023-0112, GHSA-9h7x-9pmh-7gg8
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

CVE-2022-4808, GHSA-r3p3-5f35-h6mf
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

usememos/memos Improper Privilege Management vulnerability in github.com/usememos/memos

CVE-2022-23509, GHSA-89qm-wcmw-3mgg
Affects: github.com/weaveworks/weave-gitops
Published: Aug 20, 2024
Unreviewed

Gitops Run insecure communication in github.com/weaveworks/weave-gitops

CVE-2022-23508, GHSA-wr3c-g326-486c
Affects: github.com/weaveworks/weave-gitops
Published: Aug 20, 2024
Unreviewed

GitOps Run allows for Kubernetes workload injection in github.com/weaveworks/weave-gitops

CVE-2020-36645, GHSA-3hc7-2xcc-7p8f
Affects: github.com/square/squalor
Published: Feb 01, 2023
Modified: May 20, 2024

There is a potential for SQL injection in the table name parameter.

CVE-2014-125055, GHSA-r894-5r7v-7rx3
Affects: github.com/agnivade/easy-scrypt
Published: Aug 20, 2024
Unreviewed

easy-scrypt Observable Timing Discrepancy vulnerability in github.com/agnivade/easy-scrypt

CVE-2022-4805, GHSA-mq5q-gpgv-pwxw
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

usememos/memos Incorrect Use of Privileged APIs vulnerability in github.com/usememos/memos

CVE-2022-4803, GHSA-mfmp-8mqg-q4wm
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

CVE-2022-4851, GHSA-42q2-m54f-jh95
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

sememos/memos vulnerable to Improper Handling of Values in github.com/usememos/memos

CVE-2023-22463, GHSA-vjhf-8vqx-vqpq
Affects: github.com/KubeOperator/kubepi
Published: Aug 20, 2024
Unreviewed

KubePi allows malicious actor to login with a forged JWT token via Hardcoded Jwtsigkeys in github.com/KubeOperator/kubepi

CVE-2022-4863, GHSA-6whj-8g9g-5jvx
Affects: github.com/usememos/memos
Published: Aug 20, 2024
Unreviewed

usememos/memos vulnerable to Improper Handling of Insufficient Permissions or Privileges in github.com/usememos/memos

CVE-2023-22460, GHSA-c653-6hhg-9x92
Affects: github.com/ipld/go-ipld-prime
Published: Jan 18, 2023
Modified: May 20, 2024

Encoding data using the 'json' codec which contains a 'Bytes' type Node will cause the encoder to panic. The decoder is not impacted. If the codec is used to encode user supplied data, this may be used as a vector for a denial of service attack.

CVE-2022-48195, GHSA-gvfj-fxx3-j323
Affects: mellium.im/sasl
Published: Jan 18, 2023
Modified: May 20, 2024

An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.

CVE-2022-4848, GHSA-vh43-cc6x-prpr
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to Improper Verification of Source of a Communication Channel in github.com/usememos/memos

CVE-2022-4847, GHSA-r7hg-2cpp-8wqq
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos has Incorrectly Specified Destination in a Communication Channel in github.com/usememos/memos

CVE-2022-4810, GHSA-qf9q-3wwx-8qjv
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

CVE-2022-4806, GHSA-pp3p-6jjh-rmg7
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

CVE-2022-4812, GHSA-m5pr-wm6q-x4g2
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to Comparison of Object References Instead of Object Contents in github.com/usememos/memos

CVE-2022-4811, GHSA-hc5q-26h8-r9wf
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Authorization vulnerability in github.com/usememos/memos

CVE-2022-4845, GHSA-gw9m-2m5v-c6x5
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Cross-Site Request Forgery vulnerability in github.com/usememos/memos

CVE-2022-4807, GHSA-gfj4-wg89-m22r
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

CVE-2022-4813, GHSA-7qpw-2j9m-rw8c
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos has Insufficient Granularity of Access Control in github.com/usememos/memos

CVE-2022-4809, GHSA-6w5w-wx8w-2cq9
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

CVE-2022-4814, GHSA-6fx9-29x2-fmfj
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

CVE-2022-4849, GHSA-642q-2q68-9j3p
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Cross-Site Request Forgery vulnerability in github.com/usememos/memos

CVE-2022-4802, GHSA-rx2m-xr4x-54hh
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to Improper Authorization in github.com/usememos/memos

CVE-2022-4804, GHSA-qw36-rw5q-gxcq
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Authorization vulnerability in github.com/usememos/memos

CVE-2022-4797, GHSA-qrrf-xvcf-p64q
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable Improper Restriction of Excessive Authentication Attempts in github.com/usememos/memos

CVE-2022-4798, GHSA-qcf5-m2c6-89f2
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Authorization vulnerability in github.com/usememos/memos

CVE-2022-4800, GHSA-mfvq-m3jj-8864
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to Improper Verification of Source of a Communication Channel in github.com/usememos/memos

CVE-2022-4799, GHSA-jvq8-w7qv-hqp6
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Authentication vulnerability in github.com/usememos/memos

CVE-2022-4796, GHSA-ghx2-6v4g-9wmm
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos makes Incorrect Use of Privileged APIs in github.com/usememos/memos

CVE-2022-4801, GHSA-f83p-pg86-p922
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos has Insufficient Granularity of Access Control in github.com/usememos/memos

CVE-2022-4691, GHSA-97rc-mm5j-f6rj
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

CVE-2022-4734, GHSA-j593-h5v3-45x6
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos may leak user information to an authenticated user in github.com/usememos/memos

CVE-2022-4767, GHSA-33m8-f4hw-wm3q
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Denial of Service vulnerability in github.com/usememos/memos

CVE-2022-4684, GHSA-qr52-59r6-49f4
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Improper Access Control vulnerability in github.com/usememos/memos

CVE-2022-4687, GHSA-fv6c-rfg3-gvjw
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos makes Incorrect Use of Privileged APIs in github.com/usememos/memos

CVE-2022-4692, GHSA-f552-97qx-c694
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to stored Cross-site Scripting in github.com/usememos/memos

CVE-2022-4686, GHSA-68gw-r2x5-7r5r
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos Authorization Bypass Through User-Controlled Key vulnerability in github.com/usememos/memos

CVE-2018-25060, GHSA-hhxg-px5h-jc32
Affects: github.com/go-macaron/csrf
Published: Jan 03, 2023
Modified: May 20, 2024

The Options.Secure value is ignored, and cookies created by Generate never have the secure attribute.

CVE-2018-25059, GHSA-cwh7-28vg-jmpr
Affects: github.com/jessfraz/pastebinit
Published: Aug 21, 2024
Unreviewed

pastebinit Path Traversal vulnerability in github.com/jessfraz/pastebinit

CVE-2022-46181, GHSA-xv6x-456v-24xh
Affects: github.com/gotify/server, github.com/gotify/server/v2
Published: Aug 21, 2024
Unreviewed

gotify/server vulnerable to Cross-site Scripting in the application image file upload in github.com/gotify/server

CVE-2022-4318, GHSA-cm9x-c3rh-7rc4
Affects: github.com/cri-o/cri-o
Published: Aug 21, 2024
Unreviewed

CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation in github.com/cri-o/cri-o

CVE-2022-4685, GHSA-9v48-2h5x-fvpm
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to improper access control in github.com/usememos/memos

GHSA-9h6h-9g78-86f7
Affects: github.com/fkie-cad/yapscan
Published: Aug 21, 2024
Unreviewed

Yapscan's report receiver server vulnerable to path traversal and log injection in github.com/fkie-cad/yapscan

CVE-2021-4294, GHSA-m7qp-cj9p-gj85
Affects: github.com/openshift/osin
Published: Jan 03, 2023
Modified: May 20, 2024

Client secret checks are vulnerable to timing attacks, which could permit an attacker to determine client secrets.

CVE-2022-46173, GHSA-p228-4mrh-ww7r
Affects: github.com/ElrondNetwork/elrond-go
Published: Aug 21, 2024
Unreviewed

Elrond-GO processing: fallback search of SCRs when not found in the main cache in github.com/ElrondNetwork/elrond-go

CVE-2022-4683, GHSA-qcw2-492v-57xj
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos missing Secure cookie attribute in github.com/usememos/memos

CVE-2022-4689, GHSA-w57v-6xp4-rm2v
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to account takeover due to improper access control in github.com/usememos/memos

CVE-2022-4688, GHSA-vwg4-846x-f94v
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to improper authorization in github.com/usememos/memos

CVE-2022-4690, GHSA-c8jh-vcjh-fx2w
Affects: github.com/usememos/memos
Published: Aug 21, 2024
Unreviewed

usememos/memos vulnerable to stored cross-site scripting (XSS) in github.com/usememos/memos

CVE-2022-4741, GHSA-qvx2-59g8-8hph
Affects: code.sajari.com/docconv
Published: Jan 12, 2023
Modified: May 20, 2024

An attacker can remotely supply a specially crafted input that causes uncontrolled memory allocation.

CVE-2020-36627, GHSA-jwrv-x6rx-8vfm
Affects: github.com/go-macaron/i18n
Published: Dec 28, 2022
Modified: May 20, 2024

A user controlled string could lead to open redirect.

CVE-2022-4643, GHSA-6m4h-hfpp-x8cx
Affects: code.sajari.com/docconv
Published: Dec 27, 2022
Modified: May 20, 2024

The manipulation of the argument path to docconv.{ConvertPDF,PDFHasImage} leads to os command injection.

CVE-2022-23551, GHSA-p82q-rxpm-hjpc
Affects: github.com/Azure/aad-pod-identity
Published: Aug 21, 2024
Unreviewed

AAD Pod Identity obtaining token with backslash in github.com/Azure/aad-pod-identity

CVE-2022-47633, GHSA-m3cq-xcx9-3gvm
Affects: github.com/kyverno/kyverno
Published: Dec 27, 2022
Modified: Jun 03, 2024

A malicious proxy/registry can bypass verifyImages rules.

CVE-2022-23542, GHSA-m3q4-7qmj-657m
Affects: github.com/openfga/openfga
Published: Aug 21, 2024
Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

CVE-2022-39304, GHSA-h4q8-96p6-jcgr
Affects: github.com/bradleyfalzon/ghinstallation
Published: Dec 22, 2022
Modified: May 20, 2024

Errors returned by ghinstallation.Transport can include the JWT used for the failed operation. If the error is exposed to an untrusted party, this JWT could be extracted and used to authenticate further requests.

CVE-2022-23536, GHSA-cq2g-pw6q-hf7j
Affects: github.com/cortexproject/cortex
Published: Dec 22, 2022
Modified: May 20, 2024

A malicious actor could remotely read local files by submitting to the Alertmanager Set Configuration API maliciously crafted inputs. Only users of the Alertmanager service where "-experimental.alertmanager.enable-api" or "enable_api: true" is configured are affected.

CVE-2022-45969, GHSA-pmg2-rph8-p8r6
Affects: github.com/alist-org/alist, github.com/alist-org/alist/v3
Published: Aug 21, 2024
Unreviewed

Alist vulnerable to Path Traversal in github.com/alist-org/alist

CVE-2022-23524, GHSA-6rx9-889q-vv2r
Affects: helm.sh/helm/v3
Published: Dec 14, 2022
Modified: May 20, 2024

Applications that use the strvals package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes an error that cannot be recovered from. The strvals package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like --set, --set-string, and others that enable the user to pass in strings that are merged into the values. The strvals package converts these strings into structures Go can work with. Some string inputs can cause can cause a stack overflow to be created causing a stack overflow error. Stack overflow errors cannot be recovered from. The Helm Client will panic with input to --set, --set-string, and other value setting flags that causes a stack overflow. Helm is not a long running service so the error will not affect future uses of the Helm client.

CVE-2022-23526, GHSA-67fx-wx78-jx33
Affects: helm.sh/helm/v3
Published: Dec 22, 2022
Modified: May 20, 2024

Certain JSON schema validation files can cause a Helm Client to panic, leading to a possible denial of service. The chartutil package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The chartutil package parses the schema file and loads it into memory, but some schema files can cause array data structures to be created causing a memory violation. The Helm Client will panic with a schema file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.

CVE-2022-23525, GHSA-53c4-hhmh-vw5q
Affects: helm.sh/helm/v3
Published: Dec 22, 2022
Modified: May 20, 2024

Applications that use the repo package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The repo package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The repo package parses the index file of the repository and loads it into memory. Some index files can cause array data structures to be created causing a memory violation. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.

CVE-2022-43996, GHSA-xxfx-w2rw-gh63
Affects: github.com/csaf-poc/csaf_distribution
Published: Aug 21, 2024
Unreviewed

csaf-poc/csaf_distribution Cross-site Scripting vulnerability in github.com/csaf-poc/csaf_distribution

CVE-2022-45968, GHSA-4gjr-vgfx-9qvw
Affects: github.com/alist-org/alist, github.com/alist-org/alist/v3
Published: Aug 21, 2024
Unreviewed

AList vulnerable to Improper Preservation of Permissions in github.com/alist-org/alist

CVE-2022-23511, GHSA-j8x2-2m5w-j939
Affects: github.com/aws/amazon-cloudwatch-agent
Published: Aug 21, 2024
Unreviewed

Amazon CloudWatch Agent for Windows has Privilege Escalation Vector in github.com/aws/amazon-cloudwatch-agent

CVE-2022-4123, GHSA-rprg-4v7q-87v7
Affects: github.com/containers/podman/v4
Published: Dec 22, 2022
Modified: May 20, 2024

The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.

CVE-2022-23495, GHSA-x39j-h85h-3f46
Affects: github.com/ipfs/go-merkledag
Published: Dec 22, 2022
Modified: May 20, 2024

A ProtoNode may be modified in such a way as to cause various encode errors which will trigger a panic on common method calls that don't allow for error returns. Additionally, use of the ProtoNode.SetCidBuilder() method to set non-functioning CidBuilder (such as one that refers to a multihash where an implementation of that hash function is not available) may cause the same methods to panic as a new CID is required but cannot be created.

CVE-2022-23469, GHSA-h2ph-vhm7-g4hp
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2
Published: Aug 21, 2024
Unreviewed

Traefik may display authorization header in the debug logs in github.com/traefik/traefik

CVE-2022-44942, GHSA-f93f-55c2-8c89
Affects: github.com/casdoor/casdoor
Published: Aug 21, 2024
Unreviewed

Casdoor arbitrary file deletion vulnerability via uploadFile function in github.com/casdoor/casdoor

CVE-2022-46153, GHSA-468w-8x39-gj5v
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2
Published: Aug 21, 2024
Unreviewed

Traefik routes exposed with an empty TLSOption in github.com/traefik/traefik

CVE-2022-4122, GHSA-4crw-w8pw-2hmf
Affects: github.com/containers/podman, github.com/containers/podman/v2, and 2 more
Published: Aug 21, 2024
Unreviewed

Buildah (as part of Podman) vulnerable to Link Following in github.com/containers/podman

CVE-2022-23492, GHSA-j7qp-mfxf-8xjw
Affects: github.com/libp2p/go-libp2p
Published: Dec 14, 2022
Modified: May 20, 2024

go-libp2p is vulnerable to targeted resource exhaustion attacks. These attacks target libp2p's connection, stream, peer, and memory management. An attacker can cause the allocation of large amounts of memory ultimately leading to the process getting killed by the host's operating system. While a connection manager tasked with keeping the number of connections within manageable limits has been part of go-libp2p, this component was designed to handle the regular churn of peers, not a targeted resource exhaustion attack. It's recommend to update to v0.21.0 onwards to get some useful functionality that will help in production environments like better metrics around resource usage, Grafana dashboards around resource usage, allow list support, and default autoscaling limits.

CVE-2022-23471, GHSA-2qjp-425j-52j9
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

containerd CRI stream server vulnerable to host memory exhaustion via terminal in github.com/containerd/containerd

CVE-2022-41717, GHSA-xrjj-mj9h-534m
Affects: net/http, golang.org/x/net
Published: Dec 08, 2022
Modified: May 20, 2024

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

CVE-2022-41720
Affects: os, net/http
Published: Dec 07, 2022
Modified: May 20, 2024

On Windows, restricted files can be accessed via os.DirFS and http.Dir. The os.DirFS function and http.Dir type provide access to a tree of files rooted at a given directory. These functions permit access to Windows device files under that root. For example, os.DirFS("C:/tmp").Open("COM1") opens the COM1 device. Both os.DirFS and http.Dir only provide read-only filesystem access. In addition, on Windows, an os.DirFS for the directory (the root of the current drive) can permit a maliciously crafted path to escape from the drive and access any path on the system. With fix applied, the behavior of os.DirFS("") has changed. Previously, an empty root was treated equivalently to "/", so os.DirFS("").Open("tmp") would open the path "/tmp". This now returns an error.

CVE-2022-3751, GHSA-cvh4-cjc9-84qm
Affects: github.com/owncast/owncast
Published: Aug 21, 2024
Unreviewed

owncast is vulnerable to SQL Injection in github.com/owncast/owncast

CVE-2022-46167, GHSA-x45c-cvp8-q4fm
Affects: github.com/clastix/capsule
Published: Aug 21, 2024
Unreviewed

Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace in github.com/clastix/capsule

CVE-2022-46156, GHSA-9j4f-f249-q5w8
Affects: github.com/grafana/synthetic-monitoring-agent
Published: Aug 21, 2024
Unreviewed

Grafana's default installation of `synthetic-monitoring-agent` exposes sensitive information in github.com/grafana/synthetic-monitoring-agent

CVE-2022-46146, GHSA-7rg2-cxvp-9p7p
Affects: github.com/prometheus/exporter-toolkit
Published: Nov 29, 2022
Modified: May 20, 2024

If an attacker has access to a Prometheus web.yml file and users' bcrypted passwords, it would be possible to bypass security via the built-in authentication cache.

CVE-2022-41912, GHSA-j2jp-wvqg-wc2g
Affects: github.com/crewjam/saml
Published: Nov 29, 2022
Modified: May 20, 2024

Authentication bypass is possible when processing SAML responses containing multiple Assertion elements.

CVE-2022-3920, GHSA-gw2g-hhc9-wgjh
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Missing Authorization in HashiCorp Consul in github.com/hashicorp/consul

CVE-2022-41924, GHSA-vqp6-rc3h-83cp
Affects: tailscale.com
Published: Aug 21, 2024
Unreviewed

Tailscale Windows daemon is vulnerable to RCE via CSRF in tailscale.com

CVE-2022-41925, GHSA-qccm-wmcq-pwr6
Affects: tailscale.com
Published: Aug 21, 2024
Unreviewed

Tailscale daemon is vulnerable to information disclosure via CSRF in tailscale.com

CVE-2022-39199, GHSA-6cqj-6969-p57x
Affects: github.com/codenotary/immudb
Published: Dec 22, 2022
Modified: May 20, 2024

A malicious server can trick a client into treating it as a different server by changing the reported UUID. immudb client SDKs use the server's UUID to distinguish between different server instance so that the client can connect to different immudb instances and keep the state for multiple servers. The SDK does not validate this UUID and accepts any value reported by the server. A malicious server can therefore change the reported UUID and trick the client into treating it as a different server.

CVE-2022-36111, GHSA-672p-m5jq-mrh8
Affects: github.com/codenotary/immudb
Published: Dec 22, 2022
Modified: May 20, 2024

In certain scenarios, a malicious immudb server can provide a falsified proof that will be accepted by the client SDK signing a falsified transaction replacing the genuine one. This situation can not be triggered by a genuine immudb server and requires the client to perform a specific list of verified operations resulting in acceptance of an invalid state value. This vulnerability only affects immudb client SDKs, the immudb server itself is not affected by this vulnerability.

CVE-2022-41920, GHSA-pp3f-xrw5-q5j4
Affects: github.com/duke-git/lancet, github.com/duke-git/lancet/v2
Published: Dec 07, 2022
Modified: May 20, 2024

A ZipSlip vulnerability exists when using the fileutil package to unzip files.

CVE-2022-39383, GHSA-m5xf-x7q6-3rm7
Affects: github.com/oam-dev/kubevela
Published: Dec 07, 2022
Modified: May 20, 2024

When using Helm Chart as the component delivery method, the request address of the warehouse is not restricted, and there is a blind SSRF vulnerability.

GHSA-vp35-85q5-9f25
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Container build can leak any path on the host into the container in github.com/docker/docker

CVE-2022-3867, GHSA-9fmc-5fq4-5jwh
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

HashiCorp Nomad vulnerable to Insufficient Session Expiration in github.com/hashicorp/nomad

CVE-2022-3866, GHSA-7wg4-8m5p-hrfg
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

HashiCorp Nomad vulnerable to non-sensitive metadata exposure in github.com/hashicorp/nomad

CVE-2022-39395, GHSA-2w78-ffv6-p46w, and 2 more
Affects: github.com/go-vela/server, github.com/go-vela/worker
Published: Aug 21, 2024
Unreviewed

Vela Insecure Defaults in github.com/go-vela/server

CVE-2022-39352, GHSA-3gfj-fxx4-f22w
Affects: github.com/openfga/openfga
Published: Aug 21, 2024
Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

CVE-2022-44797, GHSA-2chg-86hq-7w38
Affects: github.com/btcsuite/btcd
Published: Nov 08, 2022
Modified: May 20, 2024

Erroneous message decoding can cause denial of service. Improper checking of maximum witness size during node message decoding prevented nodes in Lightning Labs lnd (before 0.15.2-beta) to sync.

CVE-2022-41716
Affects: syscall, os/exec
Published: Nov 01, 2022
Modified: May 20, 2024

Due to unsanitized NUL values, attackers may be able to maliciously set environment variables on Windows. In syscall.StartProcess and os/exec.Cmd, invalid environment variable values containing NUL values are not properly checked for. A malicious environment variable value can exploit this behavior to set a value for a different environment variable. For example, the environment variable string "A=B\x00C=D" sets the variables "A=B" and "C=D".

CVE-2022-3616, GHSA-pmw9-567p-68pc
Affects: github.com/cloudflare/cfrpki
Published: Aug 21, 2024
Unreviewed

OctoRPKI crashes when max iterations is reached in github.com/cloudflare/cfrpki

CVE-2022-38580, GHSA-f2rj-m42r-6jm2
Affects: github.com/zalando/skipper
Published: Nov 02, 2022
Modified: May 20, 2024

An attacker can access the internal metadata server or other unauthenticated URLs by adding a specific header (X-Skipper-Proxy) to the http request.

CVE-2022-43677, GHSA-59hj-62f5-fgmc
Affects: github.com/free5gc/aper
Published: Nov 02, 2022
Modified: May 20, 2024

A malformed message can crash the free5gc/amf and free5gc/ngap decoders via an index-out-of-range panic in aper.GetBitString.

CVE-2022-39342, GHSA-f4mm-2r69-mg5f
Affects: github.com/openfga/openfga
Published: Aug 21, 2024
Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

CVE-2022-39341, GHSA-vj4m-83m8-xpw5
Affects: github.com/openfga/openfga
Published: Aug 21, 2024
Unreviewed

OpenFGA Authorization Bypass via tupleset wildcard in github.com/openfga/openfga

CVE-2022-39340, GHSA-95x7-mh78-7w2r
Affects: github.com/openfga/openfga
Published: Aug 21, 2024
Unreviewed

OpenFGA subject to Information Disclosure via streamed-list-objects endpoint in github.com/openfga/openfga

CVE-2022-39272, GHSA-f4p5-x4vc-mh4v
Affects: github.com/fluxcd/helm-controller/api, github.com/fluxcd/image-automation-controller/api, and 4 more
Published: Oct 28, 2022
Modified: May 20, 2024

Flux controllers are vulnerable to a denial of service attack. Users that have permissions to change Flux's objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed. The issue has two root causes: a) the Kubernetes type metav1.Duration is not fully compatible with the Go type time.Duration as explained in https://github.com/kubernetes/apimachinery/issues/131, and b) a lack of validation within Flux to restrict allowed values.

CVE-2022-39267, GHSA-mxrx-fg8p-5p5j
Affects: github.com/brokercap/Bifrost
Published: Aug 21, 2024
Unreviewed

Bifrost vulnerable to authentication check flaw that leads to authentication bypass in github.com/brokercap/Bifrost

GHSA-j92c-mmf7-j5x5
Affects: github.com/cheqd/cheqd-node
Published: Aug 21, 2024
Unreviewed

Potential inter-blockchain communication (IBC) protocol compromise via "Dragonberry" vulnerability in cheqd in github.com/cheqd/cheqd-node

CVE-2022-42968, GHSA-w8xw-7crf-h23x
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Gitea vulnerable to Argument Injection in code.gitea.io/gitea

CVE-2022-41606, GHSA-7v3g-4878-5qrf
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Nomad Panics On Job Submission With Bad Artifact Stanza Source URL in github.com/hashicorp/nomad

CVE-2022-32174, GHSA-mcjj-2fvq-mc3r
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Gogs vulnerable to Cross-site Scripting in gogs.io/gogs

CVE-2022-32149, GHSA-69ch-w2m2-3vjp
Affects: golang.org/x/text
Published: Oct 11, 2022
Modified: May 20, 2024

An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

GHSA-x279-68rr-jp4p
Affects: github.com/supranational/blst
Published: Oct 18, 2022
Modified: May 20, 2024

Potential creation of an invalid signature from correct inputs. Some inputs to the blst_fp_eucl_inverse function can produce incorrect outputs. This could theoretically permit the creation of an invalid signature from correct inputs.

CVE-2021-21271, GHSA-p658-8693-mhvg
Affects: github.com/tendermint/tendermint
Published: Oct 14, 2022
Modified: May 20, 2024

Mishandling of timestamps during consensus process can cause a denial of service. While reaching consensus, different tendermint nodes can observe a different timestamp for a consensus evidence. This mismatch can cause the evidence to be invalid, upon which the node producing the evidence will be asked to generate a new evidence. This new evidence will be the same, which means it will again be rejected by other nodes involved in the consensus. This loop will continue until the peer nodes decide to disconnect from the node producing the evidence.

CVE-2022-39237, GHSA-m5m3-46gj-wch8
Affects: github.com/sylabs/sif/v2
Published: Oct 21, 2022
Modified: May 20, 2024

The Singularity Image Format (SIF) reference implementation does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

CVE-2022-39273, GHSA-67x4-qr35-qvrm
Affects: github.com/flyteorg/flyteadmin
Published: Oct 31, 2022
Modified: May 20, 2024

Default authorization server's configuration settings contain a known hardcoded hashed password. Users who enable auth but do not override this setting may unknowingly allow public traffic in by way of this default password with attackers effectively impersonating propeller.

CVE-2021-21303, GHSA-c38g-469g-cmgx
Affects: helm.sh/helm/v3
Published: Oct 18, 2022
Modified: May 20, 2024

Helm does not sanitize all fields read from repository data files. A maliciously crafted data file may contain strings containing arbitrary data. If printed to a terminal, a malicious string could obscure or alter data on the screen.

CVE-2022-41715
Affects: regexp/syntax
Published: Oct 06, 2022
Modified: May 20, 2024

Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion or denial of service. The parsed regexp representation is linear in the size of the input, but in some cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular expressions whose representation would use more space than that are rejected. Normal use of regular expressions is unaffected.

CVE-2022-2880
Affects: net/http/httputil
Published: Oct 06, 2022
Modified: May 20, 2024

Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

CVE-2022-2879
Affects: archive/tar
Published: Oct 06, 2022
Modified: May 20, 2024

Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics. After fix, Reader.Read limits the maximum size of header blocks to 1 MiB.

CVE-2022-38817, GHSA-2w6m-q946-399r
Affects: github.com/dapr/dashboard
Published: Aug 21, 2024
Unreviewed

Dapr Dashboard vulnerable to Incorrect Access Control in github.com/dapr/dashboard

CVE-2022-2529, GHSA-9rpw-2h95-666c
Affects: github.com/cloudflare/goflow, github.com/cloudflare/goflow/v3
Published: Aug 21, 2024
Unreviewed

Cloudflare GoFlow vulnerable to a Denial of Service in the sflow packet handling package in github.com/cloudflare/goflow

CVE-2022-40083, GHSA-crxj-hrmp-4rwf
Affects: github.com/labstack/echo/v4
Published: Oct 11, 2022
Modified: May 20, 2024

Labstack Echo contains an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).

CVE-2022-40716, GHSA-m69r-9g56-7mv8
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

HashiCorp Consul vulnerable to authorization bypass in github.com/hashicorp/consul

CVE-2022-40082, GHSA-c9qr-f6c8-rgxf
Affects: github.com/cloudwego/hertz
Published: Oct 05, 2022
Modified: May 20, 2024

Improper path sanitization on Windows permits path traversal attacks. Static file serving with the Static or StaticFS functions allows an attacker to access files from outside the filesystem root. This vulnerability does not affect non-Windows systems.

CVE-2022-3347, GHSA-jr65-gpj5-cw74
Affects: github.com/peterzen/goresolver
Published: Sep 29, 2022
Modified: May 20, 2024

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. Root DNSSEC public keys are not validated, permitting an attacker to present a self-signed root key and delegation chain.

CVE-2022-39219, GHSA-p6fh-xc6r-g5hw
Affects: github.com/brokercap/Bifrost
Published: Aug 21, 2024
Unreviewed

Brokercap Bifrost subject to authentication bypass when using HTTP basic authentication in github.com/brokercap/Bifrost

CVE-2022-40186, GHSA-7cgv-v83v-rr87
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

HashiCorp Vault vulnerable to incorrect metadata access in github.com/hashicorp/vault

GHSA-28q9-9c3g-v3f9
Affects: github.com/treeverse/lakefs
Published: Aug 21, 2024
Unreviewed

lakeFS vulnerable to authenticated users deleting files they are not authorized to delete in github.com/treeverse/lakefs

CVE-2022-39220, GHSA-cf7g-cm7q-rq7f
Affects: github.com/drakkan/sftpgo, github.com/drakkan/sftpgo/v2
Published: Aug 21, 2024
Unreviewed

SFTPGo WebClient vulnerable to Cross-site Scripting in github.com/drakkan/sftpgo

CVE-2022-2995, GHSA-phjr-8j92-w5v7
Affects: github.com/cri-o/cri-o
Published: Aug 21, 2024
Unreviewed

CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure in github.com/cri-o/cri-o

CVE-2022-2990, GHSA-fjm8-m7m6-2fjp
Affects: github.com/containers/buildah
Published: Sep 21, 2022
Modified: May 20, 2024

SGID programs executed in a container can access files that have negative group permissions for the user's primary group. Consider a file which is owned by user u1 and group g1, permits user and other read access, and does NOT permit group read access. This file is readable by u1 and all other users except for ones in group g1. A program with the set-group-ID (SGID) bit set assumes the primary group of the program's group when it executes. A user with the primary group g1 who executes an SGID program owned by group g2 should not be able to access the file described above. While the program executes with the primary group g2, the group g1 should remain in its supplementary groups, blocking access to the file. Buildah does not correctly add g1 to the supplementary groups in this scenario, permitting unauthorized access.

CVE-2022-38638, GHSA-9vm3-r8gq-cr6x
Affects: github.com/casdoor/casdoor
Published: Aug 21, 2024
Unreviewed

Casdoor arbitrary file write vulnerability in github.com/casdoor/casdoor

GHSA-3633-5h82-39pq
Affects: github.com/theupdateframework/go-tuf
Published: Sep 21, 2022
Modified: May 20, 2024

An attacker with the ability to insert public keys into a TUF repository can cause clients to accept a staged change that has not been signed by the correct threshold of signatures.

CVE-2022-39213, GHSA-xhmf-mmv2-4hhx
Affects: github.com/pandatix/go-cvss
Published: Sep 21, 2022
Modified: May 20, 2024

ParseVector can panic when provided with invalid input.

GHSA-qv98-3369-g364
Affects: kubevirt.io/kubevirt
Published: Aug 21, 2024
Unreviewed

KubeVirt vulnerable to arbitrary file read on host in kubevirt.io/kubevirt

CVE-2022-36056, GHSA-8gw7-4j42-w388
Affects: github.com/sigstore/cosign
Published: Nov 09, 2023
Modified: May 20, 2024

Improper blob verification in github.com/sigstore/cosign

CVE-2022-36103, GHSA-7hgc-php5-77qq
Affects: github.com/talos-systems/talos
Published: Aug 21, 2024
Unreviewed

Talos worker join token can be used to get elevated access level to the Talos API in github.com/talos-systems/talos

CVE-2022-39200, GHSA-pfw4-xjgm-267c
Affects: github.com/matrix-org/dendrite
Published: Aug 21, 2024
Unreviewed

Dendrite signature checks not applied to some retrieved missing events in github.com/matrix-org/dendrite

CVE-2022-32190
Affects: net/url
Published: Sep 12, 2022
Modified: May 20, 2024

JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example, JoinPath("https://go.dev", "../go") returns the URL "https://go.dev/../go", despite the JoinPath documentation stating that ../ path elements are removed from the result.

CVE-2022-25295, GHSA-hvw3-p9px-gpc9
Affects: github.com/gophish/gophish
Published: Aug 21, 2024
Unreviewed

Gophish before 0.12.0 vulnerable to Open Redirect in github.com/gophish/gophish

CVE-2022-36110, GHSA-ggf6-638m-vqmg
Affects: github.com/gravitl/netmaker
Published: Aug 21, 2024
Unreviewed

Netmaker vulnerable to Insufficient Granularity of Access Control in github.com/gravitl/netmaker

CVE-2022-36109, GHSA-rc4r-wh2q-q6c4
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Docker supplementary group permissions not set up properly, allowing attackers to bypass primary group restrictions in github.com/docker/docker

CVE-2021-25743, GHSA-f9jg-8p32-2f55
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

kubectl ANSI escape characters not filtered in k8s.io/kubernetes

CVE-2021-45330, GHSA-pg38-r834-g45j
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Improper Privilege Management in Gitea in code.gitea.io/gitea

CVE-2022-31677, GHSA-rp4v-hhm6-rcv9
Affects: go.pinniped.dev
Published: Aug 21, 2024
Unreviewed

Pinniped Supervisor Insufficient Session Expiration vulnerability in go.pinniped.dev

CVE-2022-38149, GHSA-8449-7gc2-pwrp
Affects: github.com/hashicorp/consul-template
Published: Sep 21, 2022
Modified: May 20, 2024

The text of errors returned by Template.Execute can contain Vault secrets, potentially revealing these secrets in logs or error reports.

CVE-2022-3346, GHSA-87mm-qxm5-cp3f
Affects: github.com/peterzen/goresolver
Published: Sep 29, 2022
Modified: May 20, 2024

DNSSEC validation is not performed correctly. An attacker can cause this package to report successful validation for invalid, attacker-controlled records. The owner name of RRSIG RRs is not validated, permitting an attacker to present the RRSIG for an attacker-controlled domain in a response for any other domain.

CVE-2022-36085, GHSA-f524-rf33-2jjr
Affects: github.com/open-policy-agent/opa
Published: Sep 13, 2022
Modified: May 20, 2024

Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation stage. A bypass of this protection is possible when using the "with" keyword to mock a built-in function that isn't taken into account by WithUnsafeBuiltins.

CVE-2022-41719, GHSA-jr77-8gx4-h5qh
Affects: github.com/shamaton/msgpack/v2
Published: Nov 10, 2022
Modified: May 20, 2024

Unmarshal can panic on some inputs, possibly allowing for denial of service attacks.

CVE-2022-36061, GHSA-mv8x-668m-53fg
Affects: github.com/ElrondNetwork/elrond-go
Published: Aug 21, 2024
Unreviewed

Elrond-go has improper initialization in github.com/ElrondNetwork/elrond-go

CVE-2022-36058, GHSA-qf7j-25g9-r63f
Affects: github.com/ElrondNetwork/elrond-go
Published: Aug 21, 2024
Unreviewed

elrond-go MultiESDTNFTTransfer call on a SC address with missing function name in github.com/ElrondNetwork/elrond-go

CVE-2022-27664, GHSA-69cg-p879-7622
Affects: net/http, golang.org/x/net
Published: Sep 12, 2022
Modified: May 20, 2024

HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service.

CVE-2021-43565, GHSA-gwc9-m7rh-j2ww
Affects: golang.org/x/crypto
Published: Sep 13, 2022
Modified: May 20, 2024

Unauthenticated clients can cause a panic in SSH servers. When using AES-GCM or ChaCha20Poly1305, consuming a malformed packet which contains an empty plaintext causes a panic.

GHSA-74fp-r6jw-h4mp
Affects: k8s.io/apimachinery
Published: Sep 02, 2022
Modified: May 20, 2024

Unbounded recursion in JSON parsing allows malicious JSON input to cause excessive memory consumption or panics.

CVE-2022-36071, GHSA-54qx-8p8w-xhg8
Affects: github.com/drakkan/sftpgo, github.com/drakkan/sftpgo/v2
Published: Aug 21, 2024
Unreviewed

SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo

CVE-2022-36078, GHSA-4p6f-m4f9-ch88
Affects: github.com/gagliardetto/binary
Published: Sep 02, 2022
Modified: May 20, 2024

A memory allocation vulnerability can be exploited to allocate arbitrarily large slices, which can exhaust available memory or crash the program. When parsing data from untrusted sources of input (e.g. the blockchain), the length of the slice to allocate is read directly from the data itself without any checks, which could lead to an allocation of excessive memory.

CVE-2022-36055, GHSA-7hfp-qfw3-5jxh
Affects: helm.sh/helm/v3
Published: Sep 02, 2022
Modified: May 20, 2024

Applications that use the strvals package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The strvals package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like --set, --set-string, and others that enable the user to pass in strings that are merged into the values. The strvals package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. The Helm Client will panic with input to --set, --set-string, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.

CVE-2022-36035, GHSA-xwf3-6rgv-939r
Affects: github.com/fluxcd/flux2
Published: Aug 21, 2024
Unreviewed

Flux CLI Workload Injection in github.com/fluxcd/flux2

GHSA-pfhr-pccp-hwmh
Affects: github.com/cilium/cilium
Published: Aug 21, 2024
Unreviewed

Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium

CVE-2020-36066, GHSA-wjm3-fq3r-5x46
Affects: github.com/tidwall/gjson
Published: Aug 25, 2022
Modified: May 20, 2024

A maliciously crafted JSON input can cause a denial of service attack.

CVE-2022-3064, GHSA-6q6q-88xp-6f2r
Affects: gopkg.in/yaml.v2
Published: Aug 29, 2022
Modified: May 20, 2024

Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

CVE-2022-24687, GHSA-hj93-5fg3-3chr
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

HashiCorp Consul Ingress Gateway Panic Can Shutdown Servers in github.com/hashicorp/consul

CVE-2022-36009, GHSA-grvv-h2f9-7v9c
Affects: github.com/matrix-org/gomatrixserverlib
Published: Aug 22, 2022
Modified: May 20, 2024

Power level parsing does not parse the "events_default" key of the m.room.power_levels event, setting the event default power level to zero in all cases. This can cause events to be improperly accepted or rejected in rooms where the event_default power level has been changed.

CVE-2016-9122, GHSA-77gc-fj98-665h
Affects: gopkg.in/square/go-jose.v1
Published: Aug 22, 2022
Modified: May 20, 2024

The go-jose library suffers from multiple signatures exploitation. When validating a signed message, the API did not indicate which signature was valid, which creates the potential for confusion.

CVE-2022-37315, GHSA-h3qm-jrrf-cgj3
Affects: github.com/graphql-go/graphql
Published: Aug 23, 2022
Modified: May 20, 2024

graphql-go (aka GraphQL for Go) has infinite recursion in the type definition parser.

CVE-2021-41232, GHSA-26cm-qrc6-mfgj
Affects: github.com/StevenWeathers/thunderdome-planning-poker
Published: Aug 21, 2024
Unreviewed

Improper Neutralization of Special Elements used in an LDAP Query in stevenweathers/thunderdome-planning-poker in github.com/StevenWeathers/thunderdome-planning-poker

CVE-2021-41103, GHSA-c2h3-6mxw-7mvq
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

Insufficiently restricted permissions on plugin directories in github.com/containerd/containerd

CVE-2021-41088, GHSA-fpv6-f8jw-rc3r
Affects: github.com/elves/elvish
Published: Aug 21, 2024
Unreviewed

Elvish vulnerable to remote code execution via the web UI backend in github.com/elves/elvish

CVE-2021-41087, GHSA-vrxp-mg9f-hwf3
Affects: github.com/in-toto/in-toto-golang
Published: Aug 21, 2024
Unreviewed

Improperly Implemented path matching for in-toto-golang in github.com/in-toto/in-toto-golang

CVE-2021-39162, GHSA-gjcg-vrxg-xmgv
Affects: github.com/pomerium/pomerium
Published: Aug 21, 2024
Unreviewed

Incorrect handling of H2 GOAWAY + SETTINGS frames in github.com/pomerium/pomerium

CVE-2021-38197, GHSA-v9j4-cp63-qv62
Affects: github.com/gen2brain/go-unarr
Published: Aug 21, 2024
Unreviewed

Tarslip in go-unarr in github.com/gen2brain/go-unarr

CVE-2021-37914, GHSA-h563-xh25-x54q
Affects: github.com/argoproj/argo-workflows, github.com/argoproj/argo-workflows/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Workflow re-write vulnerability using input parameter in github.com/argoproj/argo-workflows

CVE-2021-33497, GHSA-cf55-rq8x-hm6f
Affects: github.com/dutchcoders/transfer.sh
Published: Aug 21, 2024
Unreviewed

Path Traversal in Dutchcoders transfer.sh in github.com/dutchcoders/transfer.sh

CVE-2021-33496, GHSA-w3jx-wv97-67ph
Affects: github.com/dutchcoders/transfer.sh
Published: Aug 21, 2024
Unreviewed

Cross-site scripting in Dutchcoders transfer.sh in github.com/dutchcoders/transfer.sh

CVE-2021-32813, GHSA-m697-4v8f-55qg
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2
Published: Aug 21, 2024
Unreviewed

Header dropping in traefik in github.com/traefik/traefik

CVE-2021-32783, GHSA-5ph6-qq5x-7jwc
Affects: github.com/projectcontour/contour
Published: Aug 21, 2024
Unreviewed

ExternalName Services can be used to gain access to Envoy's admin interface in github.com/projectcontour/contour

CVE-2021-32760, GHSA-c72p-9xmj-rx3w
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

Archive package allows chmod of file outside of unpack target directory in github.com/containerd/containerd

CVE-2021-32701, GHSA-vfvf-6gx5-mqv6
Affects: github.com/ory/oathkeeper
Published: Aug 21, 2024
Unreviewed

Incorrect Authorization in ORY Oathkeeper in github.com/ory/oathkeeper

CVE-2021-32699, GHSA-jj6m-r8jc-2gp7
Affects: github.com/pterodactyl/wings
Published: Aug 21, 2024
Unreviewed

Asymmetric Resource Consumption (Amplification) in Docker containers created by Wings in github.com/pterodactyl/wings

CVE-2021-31232, GHSA-m45g-f45x-vv22
Affects: github.com/cortexproject/cortex
Published: Aug 21, 2024
Unreviewed

Improper input validation in CNCF Cortex in github.com/cortexproject/cortex

CVE-2021-30465, GHSA-c3xm-pvg7-gh7r
Affects: github.com/opencontainers/runc
Published: Aug 21, 2024
Unreviewed

mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs in github.com/opencontainers/runc

CVE-2021-29499, GHSA-4gh8-x3vv-phhg
Affects: github.com/sylabs/sif
Published: Aug 21, 2024
Unreviewed

Predictable SIF UUID Identifiers in github.com/sylabs/sif

CVE-2021-25741, GHSA-f5f7-6478-qm6p
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Files or Directories Accessible to External Parties in kubernetes in k8s.io/kubernetes

CVE-2021-25737, GHSA-mfv7-gq43-w965
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Incomplete List of Disallowed Inputs in Kubernetes in k8s.io/kubernetes

CVE-2021-25735, GHSA-g42g-737j-qx6j
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes

CVE-2021-23365, GHSA-599h-8wpj-75xj
Affects: github.com/TykTechnologies/tyk-identity-broker
Published: Aug 21, 2024
Unreviewed

Authentication Bypass in tyk-identity-broker in github.com/TykTechnologies/tyk-identity-broker

CVE-2021-21405, GHSA-4g52-pqcj-phvh
Affects: github.com/filecoin-project/lotus
Published: Aug 21, 2024
Unreviewed

BLS Signature "Malleability" in github.com/filecoin-project/lotus

CVE-2020-26213, GHSA-jhj6-5mh6-4pvf
Affects: ktbs.dev/teler
Published: Aug 21, 2024
Unreviewed

Denial-of-Service within Docker container in ktbs.dev/teler

CVE-2021-36213, GHSA-8h2g-r292-j8xh
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

HashiCorp Consul L7 deny intention results in an allow action in github.com/hashicorp/consul

CVE-2021-32574, GHSA-25gf-8qrr-g78r
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Hashicorp Consul Missing SSL Certificate Validation in github.com/hashicorp/consul

CVE-2016-1905, GHSA-xx8c-m748-xr4j
Affects: github.com/kubernetes/kubernetes
Published: Aug 21, 2024
Unreviewed

Access Restriction Bypass in kubernetes in github.com/kubernetes/kubernetes

CVE-2020-8827, GHSA-xcqr-9h24-vrgw
Affects: github.com/argoproj/argo-cd
Published: Aug 21, 2024
Unreviewed

Improper Restriction of Excessive Authentication Attempts in Argo API in github.com/argoproj/argo-cd

CVE-2020-8555, GHSA-x6mj-w4jf-jmgw
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Server Side Request Forgery (SSRF) in Kubernetes in k8s.io/kubernetes

CVE-2021-25835, GHSA-x5f3-qmwj-4f84
Affects: github.com/cosmos/ethermint
Published: Aug 21, 2024
Unreviewed

Authentication bypass by capture-replay in github.com/cosmos/ethermint

CVE-2021-21404, GHSA-x462-89pf-6r5h
Affects: github.com/syncthing/syncthing
Published: Aug 21, 2024
Unreviewed

Crash due to malformed relay protocol message in github.com/syncthing/syncthing

CVE-2017-14623, GHSA-x27w-qxhg-343v
Affects: github.com/go-ldap/ldap
Published: Aug 21, 2024
Unreviewed

Access Restriction Bypass in go-ldap in github.com/go-ldap/ldap

CVE-2018-1002101, GHSA-wqwf-x5cj-rg56
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Kubernetes Arbitrary Command Injection in k8s.io/kubernetes

CVE-2020-8558, GHSA-wqv3-8cm6-h6wg
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Improper Authentication in Kubernetes in k8s.io/kubernetes

CVE-2019-19026, GHSA-rh89-vvrg-fg64, and 1 more
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

SQL Injection in Cloud Native Computing Foundation Harbor in github.com/goharbor/harbor

CVE-2020-11576, GHSA-vj54-cjrx-x696
Affects: github.com/argoproj/argo-cd
Published: Aug 21, 2024
Unreviewed

Observable Discrepancy in Argo in github.com/argoproj/argo-cd

CVE-2020-13250, GHSA-rqjq-mrgx-85hp
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Allocation of Resources Without Limits or Throttling in Hashicorp Consul in github.com/hashicorp/consul

CVE-2020-28924, GHSA-rmw5-xpg9-jr29
Affects: github.com/rclone/rclone
Published: Aug 21, 2024
Unreviewed

Use of Cryptographically Weak Pseudo-Random Number Generator in Rclone in github.com/rclone/rclone

CVE-2019-19025, GHSA-gcqm-v682-ccw6, and 1 more
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

Cross-site Request Forgery (CSRF) in Cloud Native Computing Foundation Harbor in github.com/goharbor/harbor

CVE-2015-5250, GHSA-rf3m-mhv7-x39f
Affects: github.com/openshift/origin
Published: Aug 21, 2024
Unreviewed

Denial of Service in OpenShift Origin in github.com/openshift/origin

CVE-2020-7955, GHSA-r9w6-rhh9-7v53
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Incorrect Authorization in HashiCorp Consul in github.com/hashicorp/consul

CVE-2020-26283, GHSA-r4gv-vj59-cccm
Affects: github.com/ipfs/go-ipfs
Published: Aug 21, 2024
Unreviewed

Control character injection in console output in github.com/ipfs/go-ipfs

CVE-2018-16733, GHSA-qr2j-wrhx-4829
Affects: github.com/ethereum/go-ethereum
Published: Aug 21, 2024
Unreviewed

Go Ethereum Improper Input Validation in github.com/ethereum/go-ethereum

CVE-2021-23347, GHSA-qq5v-f4c3-395c
Affects: github.com/argoproj/argo-cd
Published: Aug 21, 2024
Modified: Aug 22, 2024
Unreviewed

Possible XSS when using SSO with the CLI in github.com/argoproj/argo-cd

CVE-2020-8551, GHSA-qhm4-jxv7-j9pq
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes

CVE-2017-15104, GHSA-q9vw-wr57-xjv3
Affects: github.com/heketi/heketi
Published: Aug 21, 2024
Unreviewed

Information Exposure in Heketi in github.com/heketi/heketi

CVE-2020-13794, GHSA-q9p8-33wc-h432
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

Authenticated users can exploit an enumeration vulnerability in Harbor in github.com/goharbor/harbor

CVE-2019-19023, GHSA-q6cj-6jvq-jwmh
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

Privilege Escalation in Cloud Native Computing Foundation Harbor in github.com/goharbor/harbor

CVE-2019-11228, GHSA-q47x-6mqq-4w92
Affects: github.com/go-gitea/gitea
Published: Aug 21, 2024
Unreviewed

Gitea Improper Input Validation in github.com/go-gitea/gitea

CVE-2020-12758, GHSA-q2qr-3c2p-9235
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul

CVE-2020-13170, GHSA-p2j5-3f4c-224r
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Improper Input Validation in HashiCorp Consul in github.com/hashicorp/consul

CVE-2015-7528, GHSA-mqf3-28j7-3mj6
Affects: github.com/kubernetes/kubernetes
Published: Aug 21, 2024
Unreviewed

Information Exposure in Kubernetes in github.com/kubernetes/kubernetes

CVE-2020-28466, GHSA-m4jx-6526-vvhm
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
Published: Aug 21, 2024
Unreviewed

Denial of service in github.com/nats-io/nats-server/server in github.com/nats-io/nats-server

CVE-2016-1906, GHSA-m3fm-h5jp-q79p
Affects: github.com/openshift/origin
Published: Aug 21, 2024
Unreviewed

Authorization bypass in Openshift in github.com/openshift/origin

CVE-2019-19029, GHSA-jr34-mff8-pc6f, and 1 more
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

SQL Injection in Cloud Native Computing Foundation Harbor in github.com/goharbor/harbor

CVE-2019-13126, GHSA-jp4j-47f9-2vc3
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
Published: Aug 21, 2024
Unreviewed

Integer Overflow or Wraparound in NATS Server in github.com/nats-io/nats-server

CVE-2020-12797, GHSA-hwqm-x785-qh8p
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Incorrect Permission Assignment for Critical Resource in Hashicorp Consul in github.com/hashicorp/consul

CVE-2019-11229, GHSA-hpmr-prr2-cqc4
Affects: github.com/go-gitea/gitea
Published: Aug 21, 2024
Unreviewed

Gitea Remote Code Execution in github.com/go-gitea/gitea

CVE-2020-24356, GHSA-hgwp-4vp4-qmm2
Affects: github.com/cloudflare/cloudflared
Published: Aug 21, 2024
Unreviewed

Local Privilege Escalation in cloudflared in github.com/cloudflare/cloudflared

CVE-2018-18926, GHSA-hf6f-jq25-8gq9
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Gitea Remote Code Execution (RCE) in code.gitea.io/gitea

CVE-2020-7218, GHSA-h43v-26r7-7j4c
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Allocation of Resources Without Limits or Throttling in HashiCorp Nomad in github.com/hashicorp/nomad

CVE-2019-19316, GHSA-4rvg-555h-r626, and 1 more
Affects: github.com/hashicorp/terraform
Published: Aug 21, 2024
Unreviewed

Use of a Broken or Risky Cryptographic Algorithm in Terraform in github.com/hashicorp/terraform

CVE-2020-26294, GHSA-gv2h-gf8m-r68j
Affects: github.com/go-vela/compiler
Published: Aug 21, 2024
Unreviewed

Exposure of server configuration in github.com/go-vela/server in github.com/go-vela/compiler

CVE-2016-9962, GHSA-gp4j-w3vj-7299
Affects: github.com/opencontainers/runc
Published: Aug 21, 2024
Unreviewed

Information Exposure in RunC in github.com/opencontainers/runc

CVE-2020-10750, GHSA-gh32-pc56-4c96
Affects: github.com/jaegertracing/jaeger
Published: Aug 21, 2024
Unreviewed

Information Exposure in jaeger in github.com/jaegertracing/jaeger

CVE-2016-8579, GHSA-gfh2-7jg5-653p
Affects: github.com/appc/docker2aci
Published: Aug 21, 2024
Unreviewed

Denial of Service in docker2aci in github.com/appc/docker2aci

CVE-2021-28378, GHSA-g95p-88p4-76cm
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Cross-site Scripting in Gitea in code.gitea.io/gitea

CVE-2014-8682, GHSA-g6xv-8q23-w2q3
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

SQL Injection in Gogs in gogs.io/gogs

CVE-2020-13246, GHSA-g2qx-6ghw-67hm
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Denial of Service in Gitea in code.gitea.io/gitea

GHSA-gwj5-wp6r-5q9f
Affects: github.com/crypto-org-chain/cronos
Published: Aug 21, 2024
Unreviewed

Cronos vulnerable to DoS through unintended Contract Selfdestruct in github.com/crypto-org-chain/cronos

CVE-2020-10696, GHSA-fx8w-mjvm-hvpc
Affects: github.com/containers/buildah
Published: Aug 21, 2024
Unreviewed

Path Traversal in Buildah in github.com/containers/buildah

CVE-2021-29652, GHSA-fv82-r8qv-ch4v
Affects: github.com/pomerium/pomerium
Published: Aug 21, 2024
Unreviewed

pomerium_signature is not verified in middleware in github.com/pomerium/pomerium

CVE-2020-16250, GHSA-fp52-qw33-mfmw
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

Authentication Bypass by Spoofing and Insufficient Verification of Data Authenticity in Hashicorp Vault in github.com/hashicorp/vault

CVE-2020-24359, GHSA-f9fq-vjvh-779p
Affects: github.com/hashicorp/vault-ssh-helper
Published: Aug 21, 2024
Unreviewed

Improper Input Validation in vault-ssh-helper in github.com/hashicorp/vault-ssh-helper

CVE-2018-1000803, GHSA-f5fj-7265-jxhj
Affects: github.com/go-gitea/gitea
Published: Aug 21, 2024
Unreviewed

Gitea Exposes Private Email Addresses in github.com/go-gitea/gitea

CVE-2018-15178, GHSA-cpgw-2wxr-pww3
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Open Redirect in gogs.io/gogs

CVE-2020-7956, GHSA-cj2h-ww36-v932
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Improper Certificate Validation in HashiCorp Nomad in github.com/hashicorp/nomad

CVE-2019-16097, GHSA-9wvh-ff5f-xjpj
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

Missing Authorization in Harbor in github.com/goharbor/harbor

CVE-2020-7220, GHSA-9vh5-r4qw-v3vv
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

Improper Resource Shutdown or Release in HashiCorp Vault in github.com/hashicorp/vault

CVE-2021-29136, GHSA-9m95-8hx6-7p9v
Affects: github.com/opencontainers/umoci
Published: Aug 21, 2024
Unreviewed

Improper input validation in umoci in github.com/opencontainers/umoci

CVE-2018-19184, GHSA-9h4h-8w5p-f28w
Affects: github.com/ethereum/go-ethereum
Published: Aug 21, 2024
Unreviewed

Go Ethereum Denial of Service in github.com/ethereum/go-ethereum

CVE-2021-25834, GHSA-93p5-8fqw-wjx3
Affects: github.com/cosmos/ethermint
Published: Aug 21, 2024
Unreviewed

Authentication bypass by capture-replay in github.com/cosmos/ethermint

CVE-2021-21432, GHSA-8j3f-mhq8-gmh4
Affects: github.com/go-vela/server
Published: Aug 21, 2024
Unreviewed

Reject unauthorized access with GitHub PATs in github.com/go-vela/server

CVE-2020-9321, GHSA-7h6j-2268-fhcm
Affects: github.com/containous/traefik, github.com/containous/traefik/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Improper Certificate Handling in github.com/containous/traefik

CVE-2019-12999, GHSA-78hj-86cr-6j2v
Affects: github.com/lightningnetwork/lnd
Published: Aug 21, 2024
Unreviewed

Improper Access Control in Lightning Network Daemon in github.com/lightningnetwork/lnd

CVE-2020-27195, GHSA-77cr-6gr8-7rr9
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Use After Free in HashiCorp Nomad in github.com/hashicorp/nomad

CVE-2020-7669, GHSA-75qf-wgfj-v652
Affects: github.com/u-root/u-root
Published: Aug 21, 2024
Unreviewed

github.com/u-root/u-root/pkg/tarutil Arbitrary File Write via Archive Extraction (Zip Slip) in github.com/u-root/u-root

CVE-2020-12757, GHSA-75pc-qvwc-jf3g
Affects: github.com/hashicorp/vault-plugin-secrets-gcp
Published: Aug 21, 2024
Unreviewed

Improper Input Validation in HashiCorp Vault in github.com/hashicorp/vault-plugin-secrets-gcp

CVE-2020-15157, GHSA-742w-89gc-8m9c
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

containerd v1.2.x can be coerced into leaking credentials during image pull in github.com/containerd/containerd

CVE-2019-11251, GHSA-6qfg-8799-r575
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Kubernetes kubectl cp Vulnerable to Symlink Attack in k8s.io/kubernetes

CVE-2018-1002207, GHSA-5wmg-j84w-4jj4
Affects: github.com/mholt/archiver
Published: Aug 21, 2024
Unreviewed

Arbitrary File Write via Archive Extraction in mholt/archiver in github.com/mholt/archiver

CVE-2021-22538, GHSA-5v95-v8c8-3rh6
Affects: github.com/google/exposure-notifications-verification-server
Published: Aug 21, 2024
Unreviewed

Privilege escalation in rbac in github.com/google/exposure-notifications-verification-server

CVE-2019-14544, GHSA-5r2v-6gm6-vpvh
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Insecure Permissions in Gogs in gogs.io/gogs

CVE-2020-11091, GHSA-59qg-grp7-5r73
Affects: github.com/weaveworks/weave
Published: Aug 21, 2024
Unreviewed

Weave Net clusters susceptible to MitM attacks via IPv6 rogue router advertisements in github.com/weaveworks/weave

CVE-2020-7665, GHSA-58pf-pcwv-qg85
Affects: github.com/u-root/u-root
Published: Aug 21, 2024
Unreviewed

Path traversal in u-root in github.com/u-root/u-root

CVE-2018-1002105, GHSA-579h-mv94-g4gp
Affects: github.com/kubernetes/kubernetes
Published: Aug 21, 2024
Unreviewed

Privilege Escalation in Kubernetes in github.com/kubernetes/kubernetes

CVE-2021-21291, GHSA-4mf2-f3wh-gvf2
Affects: github.com/oauth2-proxy/oauth2-proxy, github.com/oauth2-proxy/oauth2-proxy/v7
Published: Aug 21, 2024
Unreviewed

Subdomain checking of whitelisted domains could allow unintended redirects in oauth2-proxy in github.com/oauth2-proxy/oauth2-proxy

CVE-2020-14958, GHSA-4c7m-vv47-7c69
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Insecure Permissions in Gogs in gogs.io/gogs

CVE-2020-26277, GHSA-47wr-426j-fr82
Affects: github.com/datacharmer/dbdeployer
Published: Aug 21, 2024
Unreviewed

Symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations in dbdeployer in github.com/datacharmer/dbdeployer

CVE-2020-5300, GHSA-3p3g-vpw6-4w66
Affects: github.com/ory/hydra
Published: Aug 21, 2024
Unreviewed

Authentication Bypass in hydra in github.com/ory/hydra

CVE-2020-29662, GHSA-38r5-34mr-mvm7
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

"catalog's registry v2 api exposed on unauthenticated path in Harbor" in github.com/goharbor/harbor

CVE-2020-15257, GHSA-36xw-fx78-c5r4
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

containerd-shim API Exposed to Host Network Containers in github.com/containerd/containerd

CVE-2021-29651, GHSA-35vc-w93w-75c2
Affects: github.com/pomerium/pomerium
Published: Aug 21, 2024
Unreviewed

JWT leak via Open Redirect in Programmatic access in github.com/pomerium/pomerium

CVE-2019-1002101, GHSA-34jx-wx69-9x8v
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

Symlink Attack in kubectl cp in k8s.io/kubernetes

CVE-2020-13788, GHSA-33p6-fx42-7rf5
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

Harbor is vulnerable to a limited Server-Side Request Forgery (SSRF) (CVE-2020-13788) in github.com/goharbor/harbor

CVE-2019-20933, GHSA-2rmp-fw5r-j5qv
Affects: github.com/influxdata/influxdb
Published: Aug 21, 2024
Unreviewed

Improper Authentication in InfluxDB in github.com/influxdata/influxdb

CVE-2020-26279, GHSA-27pv-q55r-222g
Affects: github.com/ipfs/go-ipfs
Published: Aug 21, 2024
Unreviewed

Path traversal in github.com/ipfs/go-ipfs

CVE-2020-13223, GHSA-25xj-89g5-fm6h
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

Information Disclosure in HashiCorp Vault in github.com/hashicorp/vault

CVE-2020-7219, GHSA-23jv-v6qj-3fhh
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Denial of Service (DoS) in HashiCorp Consul in github.com/hashicorp/consul

CVE-2020-26240, GHSA-v592-xf75-856p
Affects: github.com/ethereum/go-ethereum
Published: Aug 21, 2024
Unreviewed

Erroneous Proof of Work calculation in geth in github.com/ethereum/go-ethereum

CVE-2019-20894, GHSA-q9mp-79cp-9g8j
Affects: github.com/containous/traefik, github.com/containous/traefik/v2
Published: Aug 21, 2024
Unreviewed

Improper Authentication in github.com/containous/traefik

CVE-2020-26241, GHSA-69v6-xc2j-r2jf
Affects: github.com/ethereum/go-ethereum
Published: Aug 21, 2024
Unreviewed

Shallow copy bug in geth in github.com/ethereum/go-ethereum

CVE-2020-28348, GHSA-5x92-p4p5-33c4
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Path Traversal in HashiCorp Nomad in github.com/hashicorp/nomad

CVE-2020-12118, GHSA-399h-cmvp-qgx5
Affects: github.com/binance-chain/tss-lib
Published: Aug 21, 2024
Unreviewed

Incorrect Default Permissions in Binance tss-lib in github.com/binance-chain/tss-lib

CVE-2021-29272, GHSA-3x58-xr87-2fcj
Affects: github.com/microcosm-cc/bluemonday
Published: May 18, 2021
Modified: May 20, 2024

An XSS injection was possible because the sanitization of the Cyrillic character i bypass a protection mechanism against user-inputted HTML elements such as the <script> tag.

CVE-2016-5386
Affects: net/http, net/http/cgi
Published: Aug 09, 2022
Modified: May 20, 2024

An input validation flaw in the CGI components allows the HTTP_PROXY environment variable to be set by the incoming Proxy header, which changes where Go by default proxies all outbound HTTP requests. This environment variable is also used to set the outgoing proxy, enabling an attacker to insert a proxy into outgoing requests of a CGI program. Read more about "httpoxy" here: https://httpoxy.org.

CVE-2022-35936, GHSA-f92v-grc2-w2fg
Affects: github.com/crypto-org-chain/cronos, github.com/evmos/ethermint, and 8 more
Published: Aug 21, 2024
Unreviewed

Ethermint vulnerable to DoS through unintended Contract Selfdestruct in github.com/crypto-org-chain/cronos

CVE-2022-35930, GHSA-739f-hw6h-7wq8
Affects: github.com/sigstore/policy-controller
Published: Aug 21, 2024
Unreviewed

PolicyController before 0.2.1 may bypass attestation verification in github.com/sigstore/policy-controller

CVE-2022-35929, GHSA-vjxv-45g9-9296
Affects: github.com/sigstore/cosign
Published: Nov 09, 2023
Modified: May 20, 2024

Improper verification of signature attestations in github.com/sigstore/cosign

CVE-2019-13209, GHSA-xhg2-rvm8-w2jh
Affects: github.com/rancher/rancher
Published: May 18, 2021
Modified: May 20, 2024

Rancher 2 is vulnerable to a Cross-Site Websocket Hijacking attack that allows an exploiter to gain access to clusters managed by Rancher.

CVE-2014-3499, GHSA-wxj3-qwv4-cvfm
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Privilege Escalation in Docker in github.com/docker/docker

CVE-2014-9356, GHSA-vj3f-3286-r4pf
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Path Traversal in Docker in github.com/docker/docker

CVE-2022-1884, GHSA-958j-443g-7mm7
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

OS Command Injection in gogs in gogs.io/gogs

CVE-2022-30324, GHSA-526x-rm7j-v389
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Privilege escalation in Hashicorp Nomad in github.com/hashicorp/nomad

CVE-2021-32575, GHSA-vf6q-9f2f-mwhv
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Improper network isolation in Hashicorp Nomad in github.com/hashicorp/nomad

CVE-2015-3631, GHSA-v4h8-794j-g8mm
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Arbitrary File Override in Docker Engine in github.com/docker/docker

CVE-2018-15727, GHSA-rgjg-66cx-5x9m
Affects: github.com/grafana/grafana
Published: Aug 21, 2024
Unreviewed

Grafana Authentication Bypass in github.com/grafana/grafana

CVE-2021-22133, GHSA-qqc5-rgcc-cjqh
Affects: go.elastic.co/apm
Published: May 18, 2021
Modified: May 20, 2024

Sensitive HTTP headers may not be properly sanitized before being sent to the APM server if the program panics.

CVE-2014-9358, GHSA-qmmc-jppf-32wv
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Directory Traversal in Docker in github.com/docker/docker

CVE-2019-19030, GHSA-q9x4-q76f-5h5j
Affects: github.com/goharbor/harbor
Published: Aug 21, 2024
Unreviewed

Unauthenticated users can exploit an enumeration vulnerability in Harbor (CVE-2019-19030) in github.com/goharbor/harbor

CVE-2019-11253, GHSA-pmqp-h87c-mr78
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Unreviewed

XML Entity Expansion and Improper Input Validation in Kubernetes API server in k8s.io/kubernetes

CVE-2015-5305, GHSA-jp32-vmm6-3vf5
Affects: k8s.io/kubernetes
Published: Feb 15, 2022
Modified: Jul 19, 2024

Crafted object type names can cause directory traversal in Kubernetes. Object names are not validated before being passed to etcd. This allows attackers to write arbitrary files via a crafted object name, hence causing directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0.

CVE-2021-20278, GHSA-ggjr-2f7v-vhq4
Affects: github.com/kiali/kiali
Published: Aug 21, 2024
Unreviewed

Kiali Authentication Bypass vulnerability in github.com/kiali/kiali

CVE-2015-3627, GHSA-g7v2-2qxx-wjrw
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Symlink Attack in Libcontainer and Docker Engine in github.com/docker/docker

CVE-2015-3629, GHSA-g44j-7vp3-68cv
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Arbitrary File Write in Libcontainer in github.com/docker/docker

CVE-2020-8911, CVE-2020-8912, and 2 more
Affects: github.com/aws/aws-sdk-go
Published: Feb 11, 2022
Modified: May 20, 2024

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket. Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

CVE-2021-3495, GHSA-mv55-23xp-3wp8
Affects: github.com/kiali/kiali
Published: Aug 21, 2024
Unreviewed

Access control flaw in Kiali in github.com/kiali/kiali

CVE-2018-20321, GHSA-9qq2-xhmc-h9qr
Affects: github.com/rancher/rancher
Published: Aug 21, 2024
Unreviewed

Access Control Bypass in github.com/rancher/rancher

CVE-2017-11480, GHSA-9q3g-m353-cp4p
Affects: github.com/elastic/beats
Published: Feb 15, 2022
Modified: May 20, 2024

A local attacker can cause a panic if they are able to send arbitrary traffic to a monitored port, due to an out of bounds read.

CVE-2014-8683, GHSA-9hx4-qm7h-x84j
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Cross-site Scripting in Gogs in gogs.io/gogs

CVE-2021-20188, GHSA-9h63-7qf6-mv6r
Affects: github.com/containers/libpod
Published: Aug 21, 2024
Unreviewed

Improper Authorization in github.com/containers/libpod

CVE-2014-9357, GHSA-997c-fj8j-rq5h
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Arbitrary Code Execution in github.com/docker/docker

CVE-2015-3630, GHSA-8fvr-5rqf-3wwh
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Information Exposure in Docker Engine in github.com/docker/docker

CVE-2014-5277, GHSA-8w94-cf6g-c8mg
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Man-in-the-Middle (MitM) in github.com/docker/docker

CVE-2019-14802, GHSA-6hv3-7c34-4hx8
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Hashicorp Nomad Information Exposure Through Environmental Variables in github.com/hashicorp/nomad

CVE-2021-38554, GHSA-6239-28c2-9mrm
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

Improper Removal of Sensitive Information Before Storage or Transfer in HashiCorp Vault in github.com/hashicorp/vault

CVE-2020-1764, GHSA-64rh-r86q-75ff
Affects: github.com/kiali/kiali
Published: Aug 21, 2024
Unreviewed

Hard coded cryptographic key in Kiali in github.com/kiali/kiali

CVE-2014-6407, GHSA-5qgp-p5jc-w2rm
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Arbitrary Code Execution in Docker in github.com/docker/docker

CVE-2020-8568, GHSA-5cgx-vhfp-6cf9
Affects: sigs.k8s.io/secrets-store-csi-driver
Published: Feb 15, 2022
Modified: May 20, 2024

Modifying pod status allows host directory traversal. Kubernetes Secrets Store CSI Driver allows an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that contain other Kubernetes Secrets.

CVE-2020-1762, GHSA-465w-gg5p-85c9
Affects: github.com/kiali/kiali
Published: Aug 21, 2024
Unreviewed

Insufficient Session Expiration in Kiali in github.com/kiali/kiali

CVE-2014-6408, GHSA-44gg-pmqr-4669
Affects: github.com/docker/docker
Published: Aug 21, 2024
Unreviewed

Access Restriction Bypass in Docker in github.com/docker/docker

CVE-2021-32923, GHSA-38j9-7pp9-2hjw
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

Invalid session token expiration in github.com/hashicorp/vault

CVE-2021-3283, GHSA-35qp-xq9f-2rjx
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Improper Privilege Management in HashiCorp Nomad in github.com/hashicorp/nomad

CVE-2019-10223, CVE-2019-17110, and 2 more
Affects: k8s.io/kube-state-metrics
Published: May 18, 2021
Modified: May 20, 2024

Exposing annotations as metrics can leak secrets. An experimental feature of kube-state-metrics enables annotations to be exposed as metrics. By default, metrics only expose metadata about secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels.

CVE-2021-38553, GHSA-23fq-q7hc-993r
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

HashiCorp Vault underlying database had excessively broad filesystem permissions from v1.4.0 until v1.8.0 in github.com/hashicorp/vault

CVE-2022-1996, GHSA-r48q-9g5r-8q2h
Affects: github.com/emicklei/go-restful, github.com/emicklei/go-restful/v2, and 1 more
Published: Aug 15, 2022
Modified: May 20, 2024

CORS filters that use an AllowedDomains configuration parameter can match domains outside the specified set, permitting an attacker to avoid the CORS policy. The AllowedDomains configuration parameter is documented as a list of allowed origin domains, but values in this list are applied as regular expression matches. For example, an allowed domain of "example.com" will match the Origin header "example.com.malicious.domain".

CVE-2021-41802, GHSA-qv95-g3gm-x542
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

Hashicorp Vault Privilege Escalation Vulnerability in github.com/hashicorp/vault

CVE-2020-8562, GHSA-qh36-44jv-c8xj
Affects: k8s.io/kubernetes
Published: Aug 21, 2024
Modified: Aug 21, 2024
Withdrawn: Aug 21, 2024
Unreviewed

(withdrawn)

CVE-2022-1332, GHSA-qggc-pj29-j27m
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 1 more
Published: Aug 21, 2024
Unreviewed

Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server

CVE-2022-29153, GHSA-q6h7-4qgw-2j9p
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector in github.com/hashicorp/consul

CVE-2022-1928, GHSA-ph3w-2843-72mx
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Stored Cross-site Scripting in gitea in code.gitea.io/gitea

CVE-2021-43998, GHSA-pfmw-vj74-ph8g
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

HashiCorp Vault Incorrect Permission Assignment for Critical Resource in github.com/hashicorp/vault

CVE-2022-0905, GHSA-jr9c-h74f-2v28
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Gitea Missing Authorization vulnerability in code.gitea.io/gitea

CVE-2022-0532, GHSA-jqmc-79gx-7g8p
Affects: github.com/cri-o/cri-o
Published: Aug 21, 2024
Unreviewed

Incorrect Permission Assignment for Critical Resource in CRI-O in github.com/cri-o/cri-o

CVE-2022-24193, GHSA-jh63-28gx-7p26
Affects: github.com/IceWhaleTech/CasaOS
Published: Aug 21, 2024
Unreviewed

Command Injection in CasaOS in github.com/IceWhaleTech/CasaOS

CVE-2021-37860, GHSA-hv5f-73mr-7vvj
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5
Published: Aug 21, 2024
Unreviewed

Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server

CVE-2022-28948, GHSA-hp87-p4gw-j4gq
Affects: gopkg.in/yaml.v3
Published: Aug 22, 2022
Modified: May 20, 2024

An issue in the Unmarshal function can cause a program to panic when attempting to deserialize invalid input.

CVE-2021-42009, GHSA-gw97-f6h8-gm94
Affects: github.com/apache/trafficcontrol
Published: Aug 21, 2024
Unreviewed

Email relay in Apache Traffic Control in github.com/apache/trafficcontrol

CVE-2022-24686, GHSA-gwmc-6795-qghj
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

HashiCorp Nomad Artifact Download Race Condition in github.com/hashicorp/nomad

CVE-2022-1385, GHSA-fxwj-v664-wv5g
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 1 more
Published: Aug 21, 2024
Unreviewed

Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server

CVE-2022-1464, GHSA-ff28-f46g-r9g8
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Cross-site Scripting in Gogs in gogs.io/gogs

CVE-2022-1337, GHSA-f37q-q7p2-ccfc
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 1 more
Published: Aug 21, 2024
Unreviewed

Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server

CVE-2021-37219, GHSA-ccw8-7688-vqx4
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

HashiCorp Consul Privilege Escalation Vulnerability in github.com/hashicorp/consul

CVE-2021-37218, GHSA-c8x3-rg72-fwwg
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Privilege escalation in Hashicorp Nomad in github.com/hashicorp/nomad

CVE-2022-30689, GHSA-c5wc-v287-82pc
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Unreviewed

HashiCorp Vault improper configuration of multi factor authentication in github.com/hashicorp/vault

CVE-2021-42576, GHSA-x95h-979x-cf3j
Affects: github.com/microcosm-cc/bluemonday
Published: Aug 15, 2022
Modified: May 20, 2024

The bluemonday HTML sanitizer can leak the contents of a "style" element into HTML output, potentially causing XSS vulnerabilities. The default bluemonday sanitization policies are not vulnerable. Only user-defined policies allowing "select", "style", and "option" elements are affected. Permitting the "style" element in policies is hazardous, because bluemonday does not contain a CSS sanitizer. Newer versions of bluemonday suppress "style" and "script" elements even when allowed by a policy unless the policy explicitly requests unsafe processing.

CVE-2022-28946, GHSA-x7f3-62pm-9p38
Affects: github.com/open-policy-agent/opa
Published: May 20, 2022
Modified: May 20, 2024

An issue in ast.Parser in Open Policy Agent causes the application to incorrectly interpret expressions, allowing a Denial of Service (DoS) via triggering out-of-range memory access.

CVE-2022-26945, CVE-2022-30321, and 6 more
Affects: github.com/hashicorp/go-getter, github.com/hashicorp/go-getter/v2, and 2 more
Published: May 26, 2022
Modified: May 20, 2024

Malicious HTTP responses can cause a number of misbehaviors, including overwriting local files, resource exhaustion, and panics. * Protocol switching, endless redirect, and configuration bypass are possible through abuse of custom HTTP response header processing. * Arbitrary host access is possible through go-getter path traversal, symlink processing, and command injection flaws. * Asymmetric resource exhaustion can occur when go-getter processes malicious HTTP responses. * A panic can be triggered when go-getter processed password-protected ZIP files.

CVE-2022-23206, GHSA-wp47-9r3h-xfgq
Affects: github.com/apache/trafficcontrol
Published: Aug 21, 2024
Unreviewed

Server-Side Request Forgery in Apache Traffic Control in github.com/apache/trafficcontrol

CVE-2022-24683, GHSA-wmrx-57hm-mw7r
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Arbitrary file reads in HashiCorp Nomad in github.com/hashicorp/nomad

CVE-2022-1285, GHSA-w689-557m-2cvq
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Server-Side Request Forgery in gogs webhook in gogs.io/gogs

CVE-2021-3978, GHSA-3pqh-p72c-fj85
Affects: github.com/cloudflare/cfrpki
Published: Aug 21, 2024
Unreviewed

Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki in github.com/cloudflare/cfrpki

CVE-2021-45328, GHSA-36h2-95gj-w488
Affects: github.com/go-gitea/gitea
Published: Aug 21, 2024
Unreviewed

Open redirect in Gitea in github.com/go-gitea/gitea

CVE-2021-42135, GHSA-362v-wg5p-64w2
Affects: github.com/hashicorp/vault
Published: Aug 21, 2024
Modified: Sep 05, 2024
Unreviewed

Incorrect Privilege Assignment in HashiCorp Vault in github.com/hashicorp/vault

CVE-2022-24685, GHSA-3382-r9q8-4hfg
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

HashiCorp Nomad vulnerable to Allocation of Resources Without Limits or Throttling in github.com/hashicorp/nomad

CVE-2022-1384, GHSA-32rp-q37p-jg6w
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 1 more
Published: Aug 21, 2024
Unreviewed

Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server

CVE-2022-33082, GHSA-2m4x-4q9j-w97g
Affects: github.com/open-policy-agent/opa
Published: Jul 01, 2022
Modified: May 20, 2024

An issue in the AST parser of Open Policy Agent makes it possible for attackers to cause a Denial of Service attack from a crafted input.

CVE-2021-43415, GHSA-2jhh-5xm2-j4gf
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Improper Authentication in HashiCorp Nomad in github.com/hashicorp/nomad

CVE-2021-30080, GHSA-28r6-jm5h-mrgg
Affects: github.com/astaxie/beego, github.com/beego/beego, and 1 more
Published: Aug 22, 2022
Modified: May 20, 2024

An issue was discovered in the route lookup process in beego which attackers to bypass access control.

CVE-2022-1992, GHSA-994f-7g86-qr56
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Path Traversal in file editor on Windows in Gogs in gogs.io/gogs

CVE-2022-31836, GHSA-95f9-94vc-665h
Affects: github.com/astaxie/beego, github.com/beego/beego, and 1 more
Published: Aug 23, 2022
Modified: May 20, 2024

The leafInfo.match() function uses path.join() to deal with wildcard values which can lead to cross directory risk.

CVE-2022-0870, GHSA-7v5r-r995-q2x2
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

SSRF in repository migration in gogs.io/gogs

CVE-2022-31053, GHSA-75rw-34q6-72cr
Affects: github.com/biscuit-auth/biscuit-go
Published: Aug 15, 2022
Modified: May 20, 2024

An attacker can forge Biscuit v1 tokens with any access level. There is no known workaround for Biscuit v1. The Biscuit v2 specification avoids this vulnerability.

CVE-2021-46398, GHSA-72wf-hwcq-65h9
Affects: github.com/filebrowser/filebrowser/v2
Published: Feb 05, 2022
Modified: May 20, 2024

A Cross-Site Request Forgery vulnerability exists in Filebrowser that allows attackers to create a backdoor user with admin privilege and get access to the filesystem via a malicious HTML webpage that is sent to the victim.

CVE-2022-1993, GHSA-6vcc-v9vw-g2x5
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Path Traversal in Git HTTP endpoints in Gogs in gogs.io/gogs

CVE-2022-0664, GHSA-6rrw-4fm9-rghv
Affects: github.com/gravitl/netmaker
Published: Aug 21, 2024
Unreviewed

Use of Hard-coded Cryptographic Key in Netmaker in github.com/gravitl/netmaker

CVE-2022-24684, GHSA-6jm6-cmcp-fqjq
Affects: github.com/hashicorp/nomad
Published: Aug 21, 2024
Unreviewed

Nomad Spread Job Stanza May Trigger Panic in Servers in github.com/hashicorp/nomad

CVE-2021-38698, GHSA-6hw5-6gcx-phmw
Affects: github.com/hashicorp/consul
Published: Aug 21, 2024
Unreviewed

HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic. in github.com/hashicorp/consul

CVE-2022-1227, GHSA-66vw-v2x9-hw75
Affects: github.com/containers/psgo
Published: Aug 22, 2022
Modified: May 20, 2024

The psgo package executes the 'nsenter' binary, potentially allowing privilege escalation when used in environments where nsenter is provided by an untrusted source.

CVE-2022-1986, GHSA-67mx-jc2f-jgjm
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

OS Command Injection in file editor in Gogs in gogs.io/gogs

CVE-2022-0415, GHSA-5gjh-5j4f-cpwv
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Unrestricted Upload of File with Dangerous Type in Gogs in gogs.io/gogs

CVE-2021-4070, GHSA-4cxw-hq44-r344
Affects: github.com/v2fly/v2ray-core, github.com/v2fly/v2ray-core/v4
Published: Aug 21, 2024
Unreviewed

Off-by-one Error in v2fly/v2ray-core in github.com/v2fly/v2ray-core

CVE-2022-2385, GHSA-pp3f-98qg-5g75
Affects: sigs.k8s.io/aws-iam-authenticator
Published: Aug 21, 2024
Unreviewed

aws-iam-authenticator allow-listed IAM identity may be able to modify their username, escalate privileges before v0.5.9 in sigs.k8s.io/aws-iam-authenticator

CVE-2022-2401, GHSA-7ggc-5r84-xf54
Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 1 more
Published: Aug 21, 2024
Unreviewed

Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server

CVE-2022-32189
Affects: math/big
Published: Aug 01, 2022
Modified: May 20, 2024

Decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service.

CVE-2019-9512, CVE-2019-9514, and 2 more
Affects: net/http, golang.org/x/net
Published: Aug 01, 2022
Modified: May 20, 2024

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

CVE-2020-0601
Affects: crypto/x509
Published: Aug 01, 2022
Modified: May 20, 2024

A Windows vulnerability allows attackers to spoof valid certificate chains when the system root store is in use. A workaround is present in Go 1.12.6+ and Go 1.13.7+, but affected users should additionally install the Windows security update to protect their system. See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0601 for details on the Windows vulnerability.

CVE-2022-24912, GHSA-jxqv-jcvh-7gr4
Affects: github.com/runatlantis/atlantis
Published: Aug 11, 2022
Modified: May 20, 2024

Validation of Gitlab requests can leak secrets. The package github.com/runatlantis/atlantis/server/controllers/events uses a non-constant time comparison for secrets while validating a Gitlab request. This allows for a timing attack where an attacker can recover a secret and then forge the request.

CVE-2022-29804
Affects: path/filepath
Published: Jul 28, 2022
Modified: May 20, 2024

On Windows, the filepath.Clean function can convert certain invalid paths to valid, absolute paths, potentially allowing a directory traversal attack. For example, Clean(".\c:") returns "c:".

CVE-2022-30580
Affects: os/exec
Published: Jul 26, 2022
Modified: May 20, 2024

On Windows, executing Cmd.Run, Cmd.Start, Cmd.Output, or Cmd.CombinedOutput when Cmd.Path is unset will unintentionally trigger execution of any binaries in the working directory named either "..com" or "..exe".

CVE-2022-30629
Affects: crypto/tls
Published: Jul 28, 2022
Modified: May 20, 2024

An attacker can correlate a resumed TLS session with a previous connection. Session tickets generated by crypto/tls do not contain a randomly generated ticket_age_add, which allows an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

CVE-2022-25891, GHSA-477v-w82m-634j
Affects: github.com/containrrr/shoutrrr
Published: Jul 30, 2022
Modified: May 20, 2024

Sending a message exactly 2000, 4000, or 6000 characters in length to Discord causes a panic.

CVE-2022-30630
Affects: io/fs
Published: Jul 20, 2022
Modified: May 20, 2024

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

CVE-2022-30635
Affects: encoding/gob
Published: Jul 20, 2022
Modified: May 20, 2024

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

CVE-2022-1705
Affects: net/http
Published: Jul 25, 2022
Modified: May 20, 2024

The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.

CVE-2022-30631
Affects: compress/gzip
Published: Jul 20, 2022
Modified: May 20, 2024

Calling Reader.Read on an archive containing a large number of concatenated 0-length compressed files can cause a panic due to stack exhaustion.

CVE-2022-30633
Affects: encoding/xml
Published: Jul 20, 2022
Modified: May 20, 2024

Unmarshaling an XML document into a Go struct which has a nested field that uses the 'any' field tag can panic due to stack exhaustion.

CVE-2022-30632
Affects: path/filepath
Published: Jul 20, 2022
Modified: May 20, 2024

Calling Glob on a path which contains a large number of path separators can cause a panic due to stack exhaustion.

CVE-2022-28131
Affects: encoding/xml
Published: Jul 20, 2022
Modified: May 20, 2024

Calling Decoder.Skip when parsing a deeply nested XML document can cause a panic due to stack exhaustion.

CVE-2022-32148
Affects: net/http
Published: Jul 28, 2022
Modified: May 20, 2024

Client IP adresses may be unintentionally exposed via X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy sets the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function sets the X-Forwarded-For header value to nil, ReverseProxy leaves the header unmodified as expected.

CVE-2022-31145, GHSA-qwrj-9hmp-gpxh
Affects: github.com/flyteorg/flyteadmin
Published: Jul 30, 2022
Modified: May 20, 2024

Improper validation of access tokens can permit use of expired tokens.

CVE-2022-31105, GHSA-7943-82jg-wmw5
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Argo CD certificate verification is skipped for connections to OIDC providers in github.com/argoproj/argo-cd

CVE-2022-31102, GHSA-pmjg-52h9-72qv
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Argo CD SSO users vulnerable to Cross-site Scripting in github.com/argoproj/argo-cd

CVE-2022-1025, GHSA-96jv-vj39-x4j6
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Argo CD improper access control bug can allow malicious user to escalate privileges to admin level in github.com/argoproj/argo-cd

CVE-2022-1962
Affects: go/parser
Published: Jul 20, 2022
Modified: May 20, 2024

Calling any of the Parse functions on Go source code which contains deeply nested types or declarations can cause a panic due to stack exhaustion.

CVE-2022-31080, GHSA-6wvc-6pww-qr4r
Affects: github.com/kubeedge/kubeedge
Published: Aug 21, 2024
Unreviewed

DoS in KubeEdge's Websocket Client in package Viaduct in github.com/kubeedge/kubeedge

CVE-2022-31079, GHSA-wrcr-x4qj-j543
Affects: github.com/kubeedge/kubeedge
Published: Aug 21, 2024
Unreviewed

KubeEdge Cloud Stream and Edge Stream DoS from large stream message in github.com/kubeedge/kubeedge

CVE-2022-31078, GHSA-qpx3-9565-5xwm
Affects: github.com/kubeedge/kubeedge
Published: Aug 21, 2024
Unreviewed

KubeEdge CloudCore Router memory exhaustion vulnerability in github.com/kubeedge/kubeedge

CVE-2022-31075, GHSA-x3px-2p95-f6jr
Affects: github.com/kubeedge/kubeedge
Published: Aug 21, 2024
Unreviewed

KubeEdge DoS when signing the CSR from EdgeCore in github.com/kubeedge/kubeedge

CVE-2022-31074, GHSA-w52j-3457-q9wr
Affects: github.com/kubeedge/kubeedge
Published: Aug 21, 2024
Unreviewed

KubeEdge Cloud AdmissionController component DoS in github.com/kubeedge/kubeedge

CVE-2022-31073, GHSA-vwm6-qc77-v2rh
Affects: github.com/kubeedge/kubeedge
Published: Aug 21, 2024
Unreviewed

KubeEdge Edge ServiceBus module DoS in github.com/kubeedge/kubeedge

CVE-2015-3207, GHSA-rqph-25q9-9jhp
Affects: github.com/openshift/origin
Published: Aug 21, 2024
Unreviewed

Insecure cookies in Openshift Origin in github.com/openshift/origin

GHSA-9x4h-8wgm-8xfg
Affects: github.com/ipld/go-car, github.com/ipld/go-car/v2
Published: Jul 30, 2022
Modified: May 20, 2024

Decoding malformed CAR data can cause panics or excessive memory usage.

CVE-2022-31098, GHSA-xggc-qprg-x6mw
Affects: github.com/weaveworks/weave-gitops
Published: Aug 21, 2024
Unreviewed

Weave GitOps leaked cluster credentials into logs on connection errors in github.com/weaveworks/weave-gitops

CVE-2022-31077, GHSA-x938-fvfw-7jh5
Affects: github.com/kubeedge/kubeedge
Published: Aug 21, 2024
Unreviewed

CloudCore CSI Driver: Malicious response from KubeEdge can crash CSI Driver controller server in github.com/kubeedge/kubeedge

CVE-2022-31076, GHSA-8f4f-v9x5-cg6j
Affects: github.com/kubeedge/kubeedge
Published: Aug 21, 2024
Unreviewed

CloudCore UDS Server: Malicious Message can crash CloudCore in github.com/kubeedge/kubeedge

CVE-2022-31036, GHSA-q4w5-4gq2-98vm
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server in github.com/argoproj/argo-cd

CVE-2022-31035, GHSA-h4w9-6x78-8vrj
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Argo CD's external URLs for Deployments can include JavaScript in github.com/argoproj/argo-cd

CVE-2022-31034, GHSA-2m7h-86qq-fp4v
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params in github.com/argoproj/argo-cd

GHSA-3jhm-87m6-x959
Affects: github.com/cloudflare/cfrpki
Published: Aug 21, 2024
Unreviewed

Path traversal mitigation bypass in OctoRPKI in github.com/cloudflare/cfrpki

CVE-2022-31016, GHSA-jhqp-vf4w-rpwq
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

DoS through large manifest files in Argo CD in github.com/argoproj/argo-cd

CVE-2022-34296, GHSA-qx2j-85q5-ffp8
Affects: github.com/zalando/skipper
Published: Aug 21, 2024
Unreviewed

Query predicate bypass in Zalando Skipper in github.com/zalando/skipper

CVE-2022-29526, GHSA-p782-xgp4-8hr8
Affects: syscall, golang.org/x/sys
Published: Jul 15, 2022
Modified: May 20, 2024

When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible.

CVE-2022-25856, GHSA-qpgx-64h2-gc3c
Affects: github.com/argoproj/argo-events
Published: Jul 15, 2022
Modified: May 20, 2024

GitArtifactReader is vulnerable to directory traversal attacks. The GitArtifactReader.Read function reads and returns the contents of a Git repository file. A maliciously crafted repository can exploit this to cause Read to read from arbitrary files on the filesystem.

CVE-2022-31066, GHSA-g63h-q855-vp3q
Affects: github.com/edgexfoundry/app-functions-sdk-go, github.com/edgexfoundry/app-functions-sdk-go/v2, and 2 more
Published: Aug 21, 2024
Unreviewed

Configuration API in EdgeXFoundry 2.1.0 and earlier exposes message bus credentials to local unauthenticated users in github.com/edgexfoundry/app-functions-sdk-go

CVE-2022-31054, GHSA-5q86-62xr-3r57
Affects: github.com/argoproj/argo-events
Published: Aug 21, 2024
Unreviewed

Uses of deprecated API can be used to cause DoS in user-facing endpoints in github.com/argoproj/argo-events

CVE-2022-31038, GHSA-xq4v-vrp9-vcf2
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Cross-site Scripting vulnerability in repository issue list in Gogs in gogs.io/gogs

CVE-2022-31030, GHSA-5ffw-gxpp-mxpf
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

containerd CRI plugin: Host memory exhaustion through ExecSync in github.com/containerd/containerd

CVE-2022-1708, GHSA-fcm2-6c3h-pg6j
Affects: github.com/cri-o/cri-o
Published: Aug 21, 2024
Unreviewed

Node DOS by way of memory exhaustion through ExecSync request in CRI-O in github.com/cri-o/cri-o

CVE-2022-30634
Affects: crypto/rand
Published: Jun 09, 2022
Modified: May 20, 2024

On Windows, rand.Read will hang indefinitely if passed a buffer larger than 1 << 32 - 1 bytes.

CVE-2020-28367
Affects: cmd/go
Published: Jul 28, 2022
Modified: May 20, 2024

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious gcc flags specified via a cgo directive.

CVE-2020-28366
Affects: cmd/go, cmd/cgo
Published: Jul 28, 2022
Modified: May 20, 2024

The go command may execute arbitrary code at build time when cgo is in use. This may occur when running go get on a malicious package, or any other command that builds untrusted code. This can be caused by malicious unquoted symbol name in a linked object file.

GHSA-pj96-4jhv-v792
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Cross site scripting via cookies in gogs in gogs.io/gogs

CVE-2021-32546, GHSA-56j7-2pm8-rgmx
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

OS Command Injection in gogs in gogs.io/gogs

CVE-2022-31022, GHSA-9w9f-6mg8-jp7w
Affects: github.com/blevesearch/bleve, github.com/blevesearch/bleve/v2
Published: Jul 15, 2022
Modified: May 20, 2024

HTTP handlers provide unauthenticated access to the local filesystem. The Bleve http package is intended for demonstration purposes and contains no authentication, authorization, or validation of user inputs. Exposing handlers from this package can permit attackers to create files and delete directories.

CVE-2022-31259, GHSA-qx32-f6g6-fcfr
Affects: github.com/astaxie/beego, github.com/beego/beego, and 1 more
Published: Jul 01, 2022
Modified: Jun 03, 2024

Routes in the beego HTTP router can match unintended patterns. This overly-broad matching may permit an attacker to bypass access controls. For example, the pattern "/a/b/:name" can match the URL "/a.xml/b/". This may bypass access control applied to the prefix "/a/".

CVE-2022-29222, GHSA-w45j-f832-hxvh
Affects: github.com/pion/dtls/v2
Published: Jul 01, 2022
Modified: May 20, 2024

Client-provided certificates are not correctly validated, and must not be trusted. DTLS client certificates must be accompanied by proof that the client possesses the private key for the certificate. The Pion DTLS server accepted client certificates unaccompanied by this proof, permitting an attacker to present any certificate and have it accepted as valid.

CVE-2022-29189, GHSA-cx94-mrg9-rq4j
Affects: github.com/pion/dtls/v2
Published: Jul 01, 2022
Modified: May 20, 2024

Attacker can cause unbounded memory consumption. The Pion DTLS client and server buffer handshake data with no upper limit, permitting an attacker to cause unbounded memory consumption by sending an unterminated handshake.

CVE-2022-29190, GHSA-cm8f-h6j3-p25c
Affects: github.com/pion/dtls/v2
Published: Jul 01, 2022
Modified: May 20, 2024

An attacker can send packets that send the DTLS server or client into an infinite loop.

CVE-2022-29188, GHSA-qwrf-gfpj-qvj6
Affects: github.com/stripe/smokescreen
Published: Aug 21, 2024
Unreviewed

Smokescreen SSRF via deny list bypass (square brackets) in github.com/stripe/smokescreen

CVE-2022-29179, GHSA-fmrf-gvjp-5j5g
Affects: github.com/cilium/cilium
Published: Aug 21, 2024
Unreviewed

Improper Privilege Management in Cilium in github.com/cilium/cilium

CVE-2022-29178, GHSA-6p8v-8cq8-v2r3
Affects: github.com/cilium/cilium
Published: Aug 21, 2024
Unreviewed

Access to Unix domain socket can lead to privileges escalation in Cilium in github.com/cilium/cilium

CVE-2022-29177, GHSA-wjxw-gh3m-7pm5
Affects: github.com/ethereum/go-ethereum
Published: Aug 21, 2024
Unreviewed

DoS via malicious p2p message in Go Ethereum in github.com/ethereum/go-ethereum

CVE-2022-29165, GHSA-r642-gv9p-2wjj
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Argo CD will blindly trust JWT claims if anonymous access is enabled in github.com/argoproj/argo-cd

CVE-2022-24905, GHSA-xmg8-99r8-jc2j
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Login screen allows message spoofing if SSO is enabled in github.com/argoproj/argo-cd

CVE-2022-24904, GHSA-6gcg-hp2x-q54h
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server in github.com/argoproj/argo-cd

CVE-2022-29162, GHSA-f3fp-gc8g-vw66
Affects: github.com/opencontainers/runc
Published: Aug 21, 2024
Unreviewed

Default inheritable capabilities for linux container should be empty in github.com/opencontainers/runc

CVE-2022-1706, GHSA-hj57-j5cw-2mwp
Affects: github.com/coreos/ignition, github.com/coreos/ignition/v2
Published: Aug 21, 2024
Unreviewed

Ignition config accessible to unprivileged software on VMware in github.com/coreos/ignition

CVE-2022-30781, GHSA-p5f9-c9j9-g8qx
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Shell command injection in gitea in code.gitea.io/gitea

CVE-2022-29180, GHSA-4wpp-w5r4-7v5v
Affects: github.com/charmbracelet/charm
Published: Aug 21, 2024
Unreviewed

Server-Side Request Forgery in charm in github.com/charmbracelet/charm

CVE-2022-24878, GHSA-7pwf-jg34-hxwp
Affects: github.com/fluxcd/flux2, github.com/fluxcd/kustomize-controller
Published: Aug 21, 2024
Unreviewed

Improper path handling in Kustomization files allows for denial of service in github.com/fluxcd/flux2

CVE-2022-24877, GHSA-j77r-2fxf-5jrw
Affects: github.com/fluxcd/flux2, github.com/fluxcd/kustomize-controller
Published: Aug 21, 2024
Unreviewed

Improper path handling in kustomization files allows path traversal in github.com/fluxcd/flux2

CVE-2022-29173, GHSA-66x3-6cw3-v5gj
Affects: github.com/theupdateframework/go-tuf
Published: Jul 01, 2022
Modified: May 20, 2024

The TUF client is vulnerable to rollback attacks, in which an attacker causes a client to install software older than the software the client previously knew to be available.

CVE-2022-27313, GHSA-g7p7-x6w7-w6qg
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Arbitrary file deletion in gitea in code.gitea.io/gitea

CVE-2022-29947, GHSA-vmp5-c5hp-6c65
Affects: github.com/woodpecker-ci/woodpecker
Published: Aug 21, 2024
Unreviewed

Woodpecker allows cross-site scripting (XSS) via build logs in github.com/woodpecker-ci/woodpecker

CVE-2022-29810, GHSA-27rq-4943-qcwp
Affects: github.com/hashicorp/go-getter
Published: Jul 01, 2022
Modified: May 20, 2024

The getter package can write SSH credentials to its logfile, exposing credentials to local users able to read the logfile.

CVE-2022-28327
Affects: crypto/elliptic
Published: May 20, 2022
Modified: May 20, 2024

A crafted scalar input longer than 32 bytes can cause P256().ScalarMult or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

CVE-2022-27536
Affects: crypto/x509
Published: May 23, 2022
Modified: May 20, 2024

Verifying certificate chains containing certificates which are not compliant with RFC 5280 causes Certificate.Verify to panic on macOS. These chains can be delivered through TLS and can cause a crypto/tls or net/http client to crash.

CVE-2022-24675
Affects: encoding/pem
Published: May 20, 2022
Modified: May 20, 2024

encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a Decode stack overflow via a large amount of PEM data.

CVE-2022-24825, GHSA-gcj7-j438-hjj2
Affects: github.com/stripe/smokescreen
Published: Aug 21, 2024
Unreviewed

Smokescreen SSRF via deny list bypass in github.com/stripe/smokescreen

CVE-2022-24863, CVE-2024-25712, and 2 more
Affects: github.com/swaggo/http-swagger
Published: Feb 29, 2024
Modified: May 20, 2024

The httpSwagger package's HTTP handler provides WebDAV read/write access to an in-memory filesystem. An attacker can exploit this to cause memory exhaustion by uploading many files, XSS attacks by uploading malicious files, or other unexpected behaviors.

CVE-2022-27652, GHSA-4hj2-r2pm-3hc6
Affects: github.com/cri-o/cri-o
Published: Aug 21, 2024
Unreviewed

Incorrect Default Permissions in CRI-O in github.com/cri-o/cri-o

CVE-2021-4239, GHSA-6cr6-fmvc-vw2p, and 1 more
Affects: github.com/flynn/noise
Published: Feb 15, 2022
Modified: May 20, 2024

The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.

GHSA-57q7-rxqq-7vgp
Affects: github.com/github/git-sizer
Published: Aug 21, 2024
Unreviewed

On Windows, `git-sizer` might run a `git` executable within the repository being analyzed in github.com/github/git-sizer

CVE-2022-2584, GHSA-967g-cjx4-h7j6, and 1 more
Affects: github.com/ipld/go-codec-dagpb
Published: Jul 01, 2022
Modified: May 20, 2024

The dag-pb codec can panic when decoding invalid blocks.

GHSA-fx5p-f64h-93xc
Affects: github.com/ipfs/go-ipfs
Published: Aug 21, 2024
Unreviewed

Opened exploitable ports in default docker-compose.yaml in go-ipfs in github.com/ipfs/go-ipfs

CVE-2022-27651, GHSA-c3g4-w6cv-6v7h
Affects: github.com/containers/buildah
Published: Jul 01, 2022
Modified: May 20, 2024

Containers are created with non-empty inheritable Linux process capabilities, permitting programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug does not affect the container security sandbox, as the inheritable set never contains more capabilities than are included in the container's bounding set.

CVE-2022-27649, GHSA-qvf8-p83w-v58j
Affects: github.com/containers/podman, github.com/containers/podman/v2, and 2 more
Published: Aug 21, 2024
Unreviewed

Podman's default inheritable capabilities for linux container not empty in github.com/containers/podman

CVE-2022-21235, GHSA-6635-c626-vj4r
Affects: github.com/Masterminds/vcs
Published: Jul 01, 2022
Modified: May 20, 2024

Passing untrusted inputs to VCS functions can permit an attacker to execute arbitrary commands. The vcs package executes version control commands with user-provided arguments. These arguments can be interpreted as command-line flags, which can be used to perform command injection.

CVE-2022-24797, GHSA-q98f-2x4p-prjr
Affects: github.com/pomerium/pomerium
Published: Aug 21, 2024
Unreviewed

Exposure of Sensitive Information in Pomerium in github.com/pomerium/pomerium

CVE-2021-4238, GHSA-3839-6r69-m497, and 1 more
Affects: github.com/Masterminds/goutils
Published: Jul 01, 2022
Modified: May 20, 2024

Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions.

GHSA-x5c7-x7m2-rhmf
Affects: go.mozilla.org/sops, go.mozilla.org/sops/v3
Published: Aug 21, 2024
Unreviewed

Local directory executable lookup in sops (Windows-only) in go.mozilla.org/sops

GHSA-qmfx-75ff-8mw6
Affects: github.com/ThomasLeister/prosody-filer
Published: Aug 21, 2024
Unreviewed

Listing of upload directory contents possible in github.com/ThomasLeister/prosody-filer

GHSA-qvp4-rpmr-xwrr
Affects: github.com/ory/oathkeeper
Published: Aug 21, 2024
Unreviewed

Possible bypass of token claim validation when OAuth2 Introspection caching is enabled in github.com/ory/oathkeeper

GHSA-prqf-xr2j-xf65
Affects: github.com/argoproj/argo-workflows, github.com/argoproj/argo-workflows/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Potential privilege escalation on Kubernetes >= v1.19 when the Argo Sever is run with `--auth-mode=client` in github.com/argoproj/argo-workflows

CVE-2020-26521, GHSA-h2fg-54x9-5qhq, and 1 more
Affects: github.com/nats-io/jwt
Published: Jul 01, 2022
Modified: May 20, 2024

A malicious account can create and sign a User JWT which causes a panic when decoded by the NATS JWT library.

CVE-2022-2583, GHSA-4348-x292-h437, and 1 more
Affects: github.com/ntbosscher/gobase
Published: Jul 01, 2022
Modified: May 20, 2024

A race condition can cause incorrect HTTP request routing.

GHSA-gwj5-3vfq-q992
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
Published: Aug 21, 2024
Unreviewed

Import loops in account imports, nats-server DoS in github.com/nats-io/nats-server

GHSA-g54h-m393-cpwq
Affects: github.com/opencontainers/runc
Published: Aug 21, 2024
Unreviewed

devices resource list treated as a blacklist by default in github.com/opencontainers/runc

GHSA-fqfh-778m-2v32
Affects: github.com/cli/cli
Published: Aug 21, 2024
Unreviewed

GitHub CLI can execute a git binary from the current directory in github.com/cli/cli

GHSA-c66w-hq56-4q97
Affects: github.com/cilium/cilium
Published: Aug 21, 2024
Unreviewed

Network policy may be bypassed by some ICMP Echo Requests in github.com/cilium/cilium

GHSA-m6gx-rhvj-fh52
Affects: github.com/ethereum/go-ethereum
Published: Aug 21, 2024
Unreviewed

Denial of service in go-ethereum due to CVE-2020-28362 in github.com/ethereum/go-ethereum

CVE-2022-2582, GHSA-6jvc-q2x7-pchv, and 1 more
Affects: github.com/aws/aws-sdk-go
Published: Jul 01, 2022
Modified: May 20, 2024

The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field, but older SDK versions still send it.

CVE-2022-24769, GHSA-2mm7-x5h6-5pvq
Affects: github.com/docker/docker, github.com/moby/moby
Published: Aug 21, 2024
Unreviewed

Moby (Docker Engine) started with non-empty inheritable Linux process capabilities in github.com/docker/docker

GHSA-6rg3-8h8x-5xfv
Affects: github.com/pterodactyl/wings
Published: Aug 21, 2024
Unreviewed

Unchecked hostname resolution could allow access to local network resources by users outside the local network in github.com/pterodactyl/wings

GHSA-6c73-2v8x-qpvm
Affects: github.com/argoproj/argo-workflows, github.com/argoproj/argo-workflows/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Argo Server TLS requests could be forged by attacker with network access in github.com/argoproj/argo-workflows

GHSA-6w87-g839-9wv7
Affects: github.com/argoproj/argo-cd
Published: Aug 21, 2024
Unreviewed

Helm OCI credentials leaked into Argo CD logs in github.com/argoproj/argo-cd

CVE-2021-3127, GHSA-62mh-w5cv-p88c, and 2 more
Affects: github.com/nats-io/jwt, github.com/nats-io/jwt/v2
Published: Jul 01, 2022
Modified: May 20, 2024

Import tokens valid for one account may be used for any other account. Validation of Import token bindings incorrectly warns on mismatches, rather than rejecting the Goken. This permits a token for one account to be used for any other account.

CVE-2021-32690, GHSA-56hp-xqp3-w2jf, and 1 more
Affects: helm.sh/helm/v3
Published: Jul 15, 2022
Modified: May 20, 2024

The username and password credentials associated with a Helm repository can be passed to another domain referenced by that Helm repository. If the index.yaml for a Helm repository is hosted on one domain and references a chart archive on a different domain, Helm will provide the credentials for the index.yaml's domain when fetching those archives.

GHSA-3wxm-m9m4-cprj
Affects: github.com/google/exposure-notifications-server
Published: Aug 21, 2024
Unreviewed

Import of incorrectly embargoed keys could cause early publication in github.com/google/exposure-notifications-server

CVE-2020-26892, GHSA-2c64-vj8g-vwrq, and 1 more
Affects: github.com/nats-io/jwt
Published: Jul 15, 2022
Modified: May 20, 2024

The AccountClaims.IsRevoked and Export.IsRevoked functions improperly validate expired credentials using the current system time rather than the issue time of the JWT to be tested. These functions cannot be used properly. Newer versions of the jwt package provide an IsClaimRevoked method which performs correct validation. In these versions, the IsRevoked method always return true.

GHSA-qq97-vm5h-rrhg
Affects: github.com/docker/distribution
Published: Jul 29, 2022
Modified: May 20, 2024

Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion. A maliciously crafted OCI Container Image can cause registry clients to parse the same image in two different ways without modifying the image's digest, invalidating the common pattern of relying on container image digests for equivalence. This problem has been addressed in newer versions by improving validation in manifest unmarshalling.

GHSA-qh54-9vc5-m9fg
Affects: github.com/foxcpp/maddy
Published: Aug 21, 2024
Unreviewed

MD5 hash support in github.com/foxcpp/maddy

GHSA-q347-cg56-pcq4
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

SSRF in repository migration in gogs.io/gogs

GHSA-m836-gxwq-j2pm
Affects: github.com/treeverse/lakefs
Published: Aug 21, 2024
Unreviewed

Improper Access Control in github.com/treeverse/lakefs

GHSA-m6m5-pp4g-fcc8
Affects: github.com/foxcpp/maddy
Published: Aug 21, 2024
Unreviewed

S3 storage write is not aborted on errors leading to unbounded memory usage in github.com/foxcpp/maddy

CVE-2023-36474, GHSA-m36x-mgfh-8g78
Affects: github.com/projectdiscovery/interactsh
Published: Aug 21, 2024
Unreviewed

Subdomain Takeover in Interactsh server in github.com/projectdiscovery/interactsh

CVE-2022-24968, GHSA-h289-x5wc-xcv8, and 1 more
Affects: mellium.im/xmpp
Published: Jul 29, 2022
Modified: May 20, 2024

Websocket client connections are vulnerable to man-in-the-middle attacks via DNS spoofing. When looking up a WSS endpoint using a DNS TXT record, the server TLS certificate is incorrectly validated using the name of the server returned by the TXT record request, not the name of the the server being connected to. This permits any attacker that can spoof a DNS record to redirect the user to a server of their choosing. Providing a *tls.Config with a ServerName field set to the correct destination hostname will avoid this issue.

CVE-2022-0871, GHSA-gw5h-h6hj-f56g
Affects: gogs.io/gogs
Published: Aug 21, 2024
Unreviewed

Gogs vulnerable to improper PAM authorization handling in gogs.io/gogs

GHSA-gv9j-4w24-q7vx
Affects: github.com/coredns/coredns
Published: Aug 21, 2024
Unreviewed

Improper random number generation in github.com/coredns/coredns

GHSA-gp6j-vx54-5pmf
Affects: github.com/keep-network/keep-ecdsa
Published: Aug 21, 2024
Unreviewed

Incorrect validation of parties IDs leaks secret keys in Secret-sharing scheme in github.com/keep-network/keep-ecdsa

GHSA-wpfr-6297-9v57
Affects: github.com/netlify/gotrue
Published: Aug 21, 2024
Unreviewed

User object created with invalid provider data in GoTrue in github.com/netlify/gotrue

GHSA-w2j5-3rcx-vx7x
Affects: github.com/cri-o/cri-o
Published: Aug 21, 2024
Unreviewed

Sysctls applied to containers with host IPC or host network namespaces can affect the host in github.com/cri-o/cri-o

GHSA-5j5w-g665-5m35
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

Ambiguous OCI manifest parsing in github.com/containerd/containerd

CVE-2022-24768, GHSA-2f5v-8r3f-8pww
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Improper access control allows admin privilege escalation in Argo CD in github.com/argoproj/argo-cd

CVE-2022-24731, GHSA-h6h5-6fmq-rh28
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Path traversal allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd

CVE-2022-24730, GHSA-r9cr-hvjj-496v
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Path traversal and improper access control allows leaking out-of-bound files from Argo CD repo-server in github.com/argoproj/argo-cd

CVE-2022-21221, GHSA-fx95-883v-4q4h
Affects: github.com/valyala/fasthttp
Published: Jul 27, 2022
Modified: May 20, 2024

The fasthttp.FS request handler is vulnerable to directory traversal attacks on Windows systems, and can serve files from outside the provided root directory. URL path normalization does not handle Windows path separators (backslashes), permitting an attacker to construct requests with relative paths.

CVE-2022-0811, GHSA-6x2m-w449-qwx7
Affects: github.com/cri-o/cri-o
Published: Aug 21, 2024
Unreviewed

Code Injection in CRI-O in github.com/cri-o/cri-o

CVE-2021-29134, GHSA-h3q4-vmw4-cpr5
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Path Traversal in Gitea in code.gitea.io/gitea

CVE-2022-26652, GHSA-6h3m-36w8-hv68
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Arbitrary file write in nats-server in github.com/nats-io/nats-server

CVE-2022-24753, GHSA-4cx6-fj7j-pjx9
Affects: github.com/stripe/stripe-cli
Published: Aug 21, 2024
Unreviewed

Code injection in Stripe CLI on windows in github.com/stripe/stripe-cli

CVE-2022-24738, GHSA-5jgq-x857-p8xw
Affects: github.com/tharsis/evmos, github.com/tharsis/evmos/v2
Published: Aug 21, 2024
Unreviewed

Account compromise in Evmos in github.com/tharsis/evmos

CVE-2021-3762, GHSA-mq47-6wwv-v79w
Affects: github.com/quay/claircore
Published: Jul 15, 2022
Modified: May 20, 2024

A maliciously crafted RPM file can cause the Scanner.Scan function to write files with arbitrary contents to arbitrary locations on the local filestem.

CVE-2021-3602, GHSA-7638-r9r3-rmjj
Affects: github.com/containers/buildah
Published: Jul 15, 2022
Modified: May 20, 2024

The RunUsingChroot function unintentionally propagates environment variables from the current process to the child process.

CVE-2022-23648, GHSA-crp2-qrr5-8pq7
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

containerd CRI plugin: Insecure handling of image volumes in github.com/containerd/containerd

CVE-2018-18623, GHSA-cmq2-j8v8-2q44
Affects: github.com/grafana/grafana
Published: Aug 21, 2024
Unreviewed

Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

CVE-2022-25327, GHSA-8vwm-8vj8-rqjf, and 1 more
Affects: github.com/google/fscrypt
Published: Aug 21, 2024
Unreviewed

User login denial of service in github.com/google/fscrypt

CVE-2022-25326, GHSA-chxf-fjcf-7fwp, and 1 more
Affects: github.com/google/fscrypt
Published: Aug 21, 2024
Unreviewed

Possible filesystem space exhaustion by local users in github.com/google/fscrypt

CVE-2022-23652, GHSA-9cwv-cppx-mqjm
Affects: github.com/clastix/capsule-proxy
Published: Aug 21, 2024
Unreviewed

Improper Authentication in Capsule Proxy in github.com/clastix/capsule-proxy

CVE-2022-23650, GHSA-86f3-hf24-76q4
Affects: github.com/gravitl/netmaker
Published: Aug 21, 2024
Unreviewed

Use of Hard-coded Cryptographic Key in Netmaker in github.com/gravitl/netmaker

CVE-2022-23649, GHSA-ccxc-vr6p-4858
Affects: github.com/sigstore/cosign
Published: Nov 09, 2023
Modified: May 20, 2024

Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio certificate authority.

CVE-2022-23632, GHSA-hrhx-6h34-j5hc
Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2
Published: Aug 21, 2024
Unreviewed

Skip the router TLS configuration when the host header is an FQDN in github.com/traefik/traefik

CVE-2022-21698, GHSA-cg3q-j54f-5p7p
Affects: github.com/prometheus/client_golang
Published: Jul 15, 2022
Modified: May 20, 2024

The Prometheus client_golang HTTP server is vulnerable to a denial of service attack when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of the promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass a metric with a "method" label name to a middleware; and not have any firewall/LB/proxy that filters away requests with unknown "method".

CVE-2022-23773
Affects: cmd/go/internal/modfetch
Published: Aug 01, 2022
Modified: May 20, 2024

Incorrect access control is possible in the go command. The go command can misinterpret branch names that falsely appear to be version tags. This can lead to incorrect access control if an actor is authorized to create branches but not tags.

CVE-2022-23628, GHSA-hcw3-j74m-qc58
Affects: github.com/open-policy-agent/opa
Published: Jul 27, 2022
Modified: May 20, 2024

Pretty-printing an AST that contains synthetic nodes can change the logic of some statements by reordering array literals.

CVE-2021-45331, GHSA-hfmf-q69j-6m5p
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea

CVE-2021-45329, GHSA-r3gq-wxqf-q4gh
Affects: github.com/go-gitea/gitea
Published: Aug 21, 2024
Unreviewed

Cross-site Scripting in Gitea in github.com/go-gitea/gitea

CVE-2021-45327, GHSA-jrpg-35hw-m4p9
Affects: code.gitea.io/gitea
Published: Aug 21, 2024
Unreviewed

Capture-replay in Gitea in code.gitea.io/gitea

CVE-2021-45326, GHSA-4wp3-8q92-mh8w
Affects: github.com/go-gitea/gitea
Published: Aug 21, 2024
Unreviewed

Cross Site Request Forgery in Gitea in github.com/go-gitea/gitea

CVE-2021-45325, GHSA-8h8p-x289-vvqr
Affects: github.com/go-gitea/gitea
Published: Aug 21, 2024
Unreviewed

Gitea displaying raw OpenID error in UI in github.com/go-gitea/gitea

CVE-2022-24450, GHSA-g6w6-r76c-28j7
Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Incorrect Authorization in NATS nats-server in github.com/nats-io/nats-server

CVE-2021-42583, GHSA-5r5w-h76p-m726
Affects: github.com/foxcpp/maddy
Published: Aug 21, 2024
Unreviewed

Use of a Broken or Risky Cryptographic Algorithm in Max Mazurov Maddy in github.com/foxcpp/maddy

CVE-2021-41090, GHSA-9c4x-5hgq-q3wh
Affects: github.com/grafana/agent
Published: Aug 21, 2024
Unreviewed

Instance config inline secret exposure in Grafana in github.com/grafana/agent

CVE-2022-24348, GHSA-63qx-x74g-jcr7
Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
Published: Aug 21, 2024
Unreviewed

Path traversal and dereference of symlinks in Argo CD in github.com/argoproj/argo-cd

CVE-2022-24124, GHSA-m358-g4rp-533r
Affects: github.com/casdoor/casdoor
Published: Aug 21, 2024
Unreviewed

SQL Injection in Casdoor in github.com/casdoor/casdoor

CVE-2022-23857, GHSA-pmcr-2rhp-36hr
Affects: github.com/navidrome/navidrome
Published: Aug 21, 2024
Unreviewed

SQL injection in github.com/navidrome/navidrome

CVE-2022-21708, GHSA-mh3m-8c74-74xh
Affects: github.com/graph-gophers/graphql-go
Published: Jul 15, 2022
Modified: May 20, 2024

Malicious inputs can cause a panic. A maliciously crafted input can cause a stack overflow and panic. Any user with access to the GraphQL can send such a query. This issue only occurs when using the graphql.MaxDepth schema option (which is highly recommended in most cases).

CVE-2022-21687, GHSA-rrp4-2xx3-mv29
Affects: github.com/github/gh-ost
Published: Aug 21, 2024
Unreviewed

Command injection in gh-ost in github.com/github/gh-ost

CVE-2022-21646, GHSA-7p8f-8hjm-wm92
Affects: github.com/authzed/spicedb
Published: Aug 21, 2024
Unreviewed

Lookup operations do not take into account wildcards in SpiceDB in github.com/authzed/spicedb

CVE-2022-0317, GHSA-99cg-575x-774p
Affects: github.com/google/go-attestation
Published: Jul 15, 2022
Modified: May 20, 2024

A local attacker can defeat remotely-attested measured boot. Improper input validation in AKPublic.Verify can cause it to succeed when provided with a maliciously-formed Quote over no/some PCRs. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker can couple this vulnerability with a maliciously-formed TCG log in Eventlog.Verify to spoof events in the TCG log, defeating remotely-attested measured-boot.

CVE-2021-39183, GHSA-2hfj-cxw7-g45p
Affects: github.com/owncast/owncast
Published: Aug 21, 2024
Unreviewed

Unsafe inline XSS in pasting DOM element into chat in github.com/owncast/owncast

CVE-2021-44717
Affects: syscall
Published: May 18, 2022
Modified: May 20, 2024

When a Go program running on a Unix system is out of file descriptors and calls syscall.ForkExec (including indirectly by using the os/exec package), syscall.ForkExec can close file descriptor 0 as it fails. If this happens (or can be provoked) repeatedly, it can result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. For users who cannot immediately update to the new release, the bug can be mitigated by raising the per-process file descriptor limit.

CVE-2021-44716, GHSA-vc3p-29h2-gpcp
Affects: net/http, golang.org/x/net
Published: Jul 15, 2022
Modified: May 20, 2024

An attacker can cause unbounded memory growth in servers accepting HTTP/2 requests.

CVE-2021-4024, GHSA-3cf2-x423-x582
Affects: github.com/containers/podman, github.com/containers/podman/v2, and 1 more
Published: Aug 21, 2024
Unreviewed

Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman in github.com/containers/podman

CVE-2021-43816, GHSA-mvff-h3cj-wj9c
Affects: github.com/containerd/containerd
Published: Aug 21, 2024
Unreviewed

Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux in github.com/containerd/containerd

CVE-2021-43784, GHSA-v95c-p5hm-xq8f
Affects: github.com/opencontainers/runc
Published: Jul 15, 2022
Modified: May 20, 2024

An attacker with partial control over the bind mount sources of a new container can bypass namespace restrictions.

CVE-2021-39293
Affects: archive/zip
Published: May 18, 2022
Modified: May 20, 2024

The NewReader and OpenReader functions in archive/zip can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size. This is caused by an incomplete fix for CVE-2021-33196.

CVE-2021-23772, GHSA-jcxc-rh6w-wf49
Affects: github.com/kataras/iris/v12, github.com/kataras/iris
Published: Jul 15, 2022
Modified: May 20, 2024

The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory. This vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames returned by "mime/multipart".Part.FileName, which avoids this issue.

CVE-2021-22565, GHSA-wx8q-rgfr-cf6v
Affects: github.com/google/exposure-notifications-verification-server
Published: Aug 21, 2024
Unreviewed

Insufficient Granularity of Access Control in github.com/google/exposure-notifications-verification-server

CVE-2021-41266, GHSA-4999-659w-mq36
Affects: github.com/minio/console
Published: Aug 21, 2024
Unreviewed

Authentication bypass issue in the Operator Console in github.com/minio/console

CVE-2021-41254, GHSA-35rf-v2jv-gfg7
Affects: github.com/fluxcd/kustomize-controller
Published: Aug 21, 2024
Unreviewed

Privilege escalation to cluster admin on multi-tenant environments in github.com/fluxcd/kustomize-controller

CVE-2021-41173, GHSA-59hh-656j-3p7v
Affects: github.com/ethereum/go-ethereum
Published: Jul 15, 2022
Modified: May 20, 2024

A maliciously crafted snap/1 protocol message can cause a panic.

CVE-2021-39137, GHSA-9856-9gg9-qcmq
Affects: github.com/ethereum/go-ethereum
Published: Jul 15, 2022
Modified: May 20, 2024

A vulnerability in the Geth EVM can cause a node to reject the canonical chain. A memory-corruption bug within the EVM can cause a consensus error, where vulnerable nodes obtain a different stateRoot when processing a maliciously crafted transaction. This, in turn, would lead to the chain being split in two forks.

CVE-2021-3912, GHSA-g9wh-3vrx-r7hg
Affects: github.com/cloudflare/cfrpki
Published: Jul 15, 2022
Modified: May 20, 2024

The HTTPFetcher.GetXML function reads a response of unlimited size into memory, permitting resource exhaustion.

CVE-2021-3911, GHSA-w6ww-fmfx-2x22
Affects: github.com/cloudflare/cfrpki
Published: Jul 15, 2022
Modified: May 20, 2024

OctoRPKI crashes when a repository returns an ROA with a IP address that contains too many bits.

CVE-2021-3910, GHSA-5mxh-2qfv-4g7j
Affects: github.com/cloudflare/cfrpki
Published: Jul 15, 2022
Modified: May 20, 2024

OctoRPKI crashes when a repository returns an invalid ROA that is only an encoded NUL character (\0).

CVE-2021-3909, GHSA-8cvr-4rrf-f244
Affects: github.com/cloudflare/cfrpki
Published: Aug 21, 2024
Unreviewed

Infinite open connection causes OctoRPKI to hang forever in github.com/cloudflare/cfrpki

CVE-2021-3908, GHSA-g5gj-9ggf-9vmq
Affects: github.com/cloudflare/cfrpki
Published: Aug 21, 2024
Unreviewed

Infinite certificate chain depth results in OctoRPKI running forever in github.com/cloudflare/cfrpki

CVE-2021-3907, GHSA-cqh2-vc2f-q4fh, and 1 more
Affects: github.com/cloudflare/cfrpki
Published: Jul 15, 2022
Modified: May 20, 2024

Manifest path extraction is vulnerable to directory traversal attacks. The ExtractPathManifest function permits file paths containing relative directory components (".."), permitting files to reference arbitrary locations on the filesystem.

CVE-2021-38297
Affects: cmd/link
Published: May 24, 2022
Modified: May 20, 2024

When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js, passing very large arguments can cause portions of the module to be overwritten with data from the arguments due to a buffer overflow error. If using wasm_exec.js to execute WASM modules, users will need to replace their copy (as described in https://golang.org/wiki/WebAssembly#getting-started) after rebuilding any modules.

CVE-2021-3761, GHSA-c8xp-8mf3-62h9
Affects: github.com/cloudflare/cfrpki
Published: Jul 15, 2022
Modified: May 20, 2024

The ROAEntry.Validate function fails to perform bounds checks on the MaxLength field, allowing invalid values to pass validation.

CVE-2021-3538, GHSA-33m6-q9v5-62r7
Affects: github.com/satori/go.uuid
Published: Jul 15, 2022
Modified: May 20, 2024

Random data used to create UUIDs can contain zeros, resulting in predictable UUIDs and possible collisions.

CVE-2021-31525, GHSA-h86h-8ppg-mxmh
Affects: net/http, golang.org/x/net
Published: Jul 15, 2022
Modified: May 20, 2024

A malicious HTTP server or client can cause the net/http client or server to panic. ReadRequest and ReadResponse can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. This also affects golang.org/x/net/http2/h2c and HeaderValuesContainsToken in golang.org/x/net/http/httpguts.

CVE-2021-23409, GHSA-xcf7-q56x-78gh
Affects: github.com/pires/go-proxyproto
Published: Jul 01, 2022
Modified: May 20, 2024

The PROXY protocol server does not impose a timeout on reading the header from new connections, allowing a malicious client to cause resource exhaustion and a denial of service by opening many connections and sending no data on them. v0.6.0 of the proxyproto package adds support for a user-defined header timeout. v0.6.1 adds a default timeout of 200ms and v0.6.2 increases the default timeout to 10s.

CVE-2021-20848, GHSA-458f-26r3-x2c3
Affects: github.com/schollz/rwtxt
Published: Aug 21, 2024
Unreviewed

Cross-site Scripting in github.com/schollz/rwtxt

CVE-2021-20206, GHSA-xjqr-g762-pxwp
Affects: github.com/containernetworking/cni
Published: Jul 01, 2022
Modified: May 20, 2024

The FindInPath function is vulnerable to directory traversal attacks, potentially permitting attackers to execute arbitrary binaries. This function does not sanitize its plugin parameter, so parameter names containing "../" or other such elements may reference arbitrary locations on the filesystem.

CVE-2020-7919, GHSA-cjjc-xp8v-855w
Affects: crypto/x509, golang.org/x/crypto
Published: Jul 06, 2022
Modified: May 20, 2024

On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing functions of golang.org/x/crypto/cryptobyte can lead to a panic. The malformed certificate can be delivered via a crypto/tls connection to a client, or to a server that accepts client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected.

CVE-2019-9634
Affects: runtime, syscall
Published: May 25, 2022
Modified: May 20, 2024

Go on Windows misused certain LoadLibrary functionality, leading to DLL injection.

CVE-2019-6486
Affects: crypto/elliptic
Published: May 24, 2022
Modified: May 20, 2024

A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

CVE-2019-17596
Affects: crypto/dsa
Published: May 24, 2022
Modified: May 20, 2024

Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key.

CVE-2019-16276
Affects: net/textproto
Published: May 23, 2022
Modified: May 20, 2024

net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.

CVE-2019-14809
Affects: net/url
Published: Jul 01, 2022
Modified: May 20, 2024

The url.Parse function accepts URLs with malformed hosts, such that the Host field can have arbitrary suffixes that appear in neither Hostname() nor Port(), allowing authorization bypasses in certain applications.

CVE-2019-11840, GHSA-r5c5-pr8j-pfp7
Affects: golang.org/x/crypto
Published: Jul 01, 2022
Modified: May 20, 2024

XORKeyStream generates incorrect and insecure output for very large inputs. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications. The issue might affect uses of golang.org/x/crypto/nacl with extremely large messages. Architectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream invocation are unaffected.

CVE-2018-7187
Affects: cmd/go
Published: Aug 09, 2022
Modified: May 20, 2024

The "go get" command is vulnerable to remote code execution. When the -insecure command-line option is used, "go get" does not validate the import path (get/vcs.go only checks for "://" anywhere in the string), which allows remote attackers to execute arbitrary OS commands via a crafted web site.

CVE-2018-6574
Affects: cmd/go
Published: Aug 09, 2022
Modified: May 20, 2024

The "go get" command with cgo is vulnerable to remote command execution by leveraging the gcc or clang plugin feature. When cgo is enabled, the build step during "go get" invokes the host C compiler, gcc or clang, adding compiler flags specified in the Go source files. Both gcc and clang support a plugin mechanism in which a shared-library plugin is loaded into the compiler, as directed by compiler flags. This means that a Go package repository can contain an attack.so file along with a Go source file that says (for example) "// #cgo CFLAGS: -fplugin=attack.so" causing the attack plugin to be loaded into the host C compiler during the build. Gcc and clang plugins are completely unrestricted in their access to the host system.

CVE-2018-17847, CVE-2018-17848, and 2 more
Affects: golang.org/x/net
Published: Jul 01, 2022
Modified: May 20, 2024

The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input "<svg><template><desc><t><svg></template>".

CVE-2018-17143, GHSA-fcf9-6fv2-fc5v
Affects: golang.org/x/net
Published: Jul 06, 2022
Modified: May 20, 2024

The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input "<template><tBody><isindex/action=0>".

CVE-2018-17142, GHSA-2wp2-chmh-r934
Affects: golang.org/x/net
Published: Jul 01, 2022
Modified: May 20, 2024

The Parse function can panic on some invalid inputs. For example, the Parse function panics on the input "<math><template><mo><template>".

CVE-2018-16875
Affects: crypto/x509
Published: Jul 15, 2022
Modified: May 20, 2024

The crypto/x509 package does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients verifying certificates are affected.

CVE-2018-16874
Affects: cmd/go/internal/get
Published: Aug 02, 2022
Modified: May 20, 2024

The "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly brace (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.

CVE-2018-16873
Affects: cmd/go/internal/get
Published: Aug 04, 2022
Modified: May 20, 2024

The "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". Note that forbidding import paths with a .git element might not be sufficient to mitigate this issue, as on certain systems there can be other aliases for VCS state folders.

CVE-2017-8932
Affects: crypto/elliptic
Published: Jul 01, 2022
Modified: May 20, 2024

The ScalarMult implementation of curve P-256 for amd64 architectures generates incorrect results for certain specific input points. An adaptive attack can progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.

CVE-2017-15041
Affects: cmd/go
Published: Aug 09, 2022
Modified: May 20, 2024

The "go get" command allows remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, "go get" can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository's Git checkout has malicious commands in .git/hooks/, they will execute on the system running "go get".

CVE-2017-1000097
Affects: crypto/x509
Published: May 24, 2022
Modified: Jun 03, 2024

On Darwin, user's trust preferences for root certificates were not honored. If the user had a root certificate loaded in their Keychain that was explicitly not trusted, a Go program would still verify a connection using that root certificate.

CVE-2016-3959
Affects: crypto/dsa
Published: May 24, 2022
Modified: May 20, 2024

The Verify function in crypto/dsa passed certain parameters unchecked to the underlying big integer library, possibly leading to extremely long-running computations, which in turn makes Go programs vulnerable to remote denial of service attacks. Programs using HTTPS client certificates or the Go SSH server libraries are both exposed to this vulnerability.

CVE-2022-24778, GHSA-8v99-48m9-c8pm
Affects: github.com/containerd/imgcrypt
Published: Apr 28, 2022
Modified: May 20, 2024

The imgcrypt library provides API extensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function CheckAuthorization is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.

CVE-2022-27191, GHSA-8c26-wmh5-6g9v
Affects: golang.org/x/crypto
Published: Apr 25, 2022
Modified: May 20, 2024

Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that 1) the Signer passed to AddHostKey does not implement AlgorithmSigner, and 2) the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method. Servers that only use Signer implementations provided by the ssh package are unaffected.

CVE-2022-24921
Affects: regexp
Published: May 23, 2022
Modified: May 20, 2024

On 64-bit platforms, an extremely deeply nested expression can cause regexp.Compile to cause goroutine stack exhaustion, forcing the program to exit. Note this applies to very large expressions, on the order of 2MB.

CVE-2022-23806
Affects: crypto/elliptic
Published: May 23, 2022
Modified: May 20, 2024

Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating on those values may cause a panic or an invalid curve operation. Note that Unmarshal will never return such values.

CVE-2022-23772
Affects: math/big
Published: May 23, 2022
Modified: May 20, 2024

Rat.SetString had an overflow issue that can lead to uncontrolled memory consumption.

CVE-2021-42248, CVE-2021-42836, and 2 more
Affects: github.com/tidwall/gjson
Published: Aug 15, 2022
Modified: May 20, 2024

A maliciously crafted path can cause Get and other query functions to consume excessive amounts of CPU and time.

CVE-2021-41772
Affects: archive/zip
Published: Jan 13, 2022
Modified: May 20, 2024

Previously, opening a zip with (*Reader).Open could result in a panic if the zip contained a file whose name was exclusively made up of slash characters or ".." path elements. Open could also panic if passed the empty string directly as an argument. Now, any files in the zip whose name could not be made valid for fs.FS.Open will be skipped, and no longer added to the fs.FS file list, although they are still accessible through (*Reader).File. Note that it was already the case that a file could be accessible from (*Reader).Open with a name different from the one in (*Reader).File, as the former is the cleaned name, while the latter is the original one. Finally, the actual panic site was made robust as a defense-in-depth measure.

CVE-2021-41771
Affects: debug/macho
Published: Jan 13, 2022
Modified: May 20, 2024

Calling File.ImportedSymbols on a loaded file which contains an invalid dynamic symbol table command can cause a panic, in particular if the encoded number of undefined symbols is larger than the number of symbols in the symbol table.

CVE-2021-41230, GHSA-j6wp-3859-vxfg
Affects: github.com/pomerium/pomerium
Published: Jan 14, 2022
Modified: May 20, 2024

Pomerium is an open source identity-aware access proxy. Changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using allowed_idp_claims as part of policy. If using allowed_idp_claims and a user's claims are changed, Pomerium can make incorrect authorization decisions. For users unable to upgrade clear data on databroker service by clearing redis or restarting the in-memory databroker to force claims to be updated.

CVE-2021-36221
Affects: net/http/httputil
Published: Feb 17, 2022
Modified: May 20, 2024

ReverseProxy can panic after encountering a problem copying a proxied response body.

CVE-2021-34558
Affects: crypto/tls
Published: Feb 17, 2022
Modified: May 20, 2024

crypto/tls clients can panic when provided a certificate of the wrong type for the negotiated parameters. net/http clients performing HTTPS requests are also affected.

CVE-2021-33198
Affects: math/big
Published: Feb 17, 2022
Modified: May 20, 2024

Rat.SetString and Rat.UnmarshalText may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents.

CVE-2021-33197
Affects: net/http/httputil
Published: Feb 17, 2022
Modified: May 20, 2024

ReverseProxy can be made to forward certain hop-by-hop headers, including Connection. If the target of the ReverseProxy is itself a reverse proxy, this lets an attacker drop arbitrary headers, including those set by the ReverseProxy.Director.

CVE-2021-33196
Affects: archive/zip
Published: Feb 17, 2022
Modified: May 20, 2024

NewReader and OpenReader can cause a panic or an unrecoverable fatal error when reading an archive that claims to contain a large number of files, regardless of its actual size.

CVE-2021-33195
Affects: net
Published: Feb 17, 2022
Modified: May 20, 2024

The LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions and their respective methods on the Resolver type may return arbitrary values retrieved from DNS which do not follow the established RFC 1035 rules for domain names. If these names are used without further sanitization, for instance unsafely included in HTML, they may allow for injection of unexpected content. Note that LookupTXT may still return arbitrary values that could require sanitization before further use.

CVE-2021-33194, GHSA-83g2-8m93-v3w7
Affects: golang.org/x/net
Published: Feb 17, 2022
Modified: May 20, 2024

An attacker can craft an input to ParseFragment that causes it to enter an infinite loop and never return.

CVE-2021-32721, GHSA-mj9r-wwm8-7q52
Affects: github.com/AndrewBurian/powermux
Published: Jan 11, 2022
Modified: May 20, 2024

Attackers may be able to craft phishing links and other open redirects by exploiting PowerMux's trailing slash redirection feature. This may lead to users being redirected to untrusted sites after following an attacker crafted link.

CVE-2021-3114
Affects: crypto/elliptic
Published: Feb 17, 2022
Modified: May 20, 2024

The P224() Curve implementation can in rare circumstances generate incorrect outputs, including returning invalid points from ScalarMult.

CVE-2021-27918
Affects: encoding/xml
Published: Feb 17, 2022
Modified: May 20, 2024

The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by xml.NewTokenDecoder may enter an infinite loop when operating on a custom xml.TokenReader which returns an EOF in the middle of an open XML element.

CVE-2020-7664, GHSA-vpx7-vm66-qx8r
Affects: github.com/unknwon/cae
Published: Jan 14, 2022
Modified: May 20, 2024

The ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.

CVE-2020-29652, GHSA-3vm4-22fp-5rfm
Affects: golang.org/x/crypto
Published: Feb 17, 2022
Modified: May 20, 2024

Clients can cause a panic in SSH servers. An attacker can craft an authentication request message for the “gssapi-with-mic” method which will cause NewServerConn to panic via a nil pointer dereference if ServerConfig.GSSAPIWithMICConfig is nil.

CVE-2020-24553
Affects: net/http/cgi, net/http/fcgi
Published: Jan 13, 2022
Modified: May 20, 2024

When a Handler does not explicitly set the Content-Type header, the the package would default to “text/html”, which could cause a Cross-Site Scripting vulnerability if an attacker can control any part of the contents of a response. The Content-Type header is now set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package. Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.

CVE-2020-15586
Affects: net/http
Published: Feb 17, 2022
Modified: May 20, 2024

HTTP servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.

CVE-2020-14039
Affects: crypto/x509
Published: Feb 17, 2022
Modified: May 20, 2024

On Windows, if VerifyOptions.Roots is nil, Certificate.Verify does not check the EKU requirements specified in VerifyOptions.KeyUsages. This may allow a certificate to be used for an unintended purpose.

CVE-2017-15042
Affects: net/smtp
Published: Jan 07, 2022
Modified: May 20, 2024

SMTP clients using net/smtp can use the PLAIN authentication scheme on network connections not secured with TLS, exposing passwords to man-in-the-middle SMTP servers.

CVE-2017-1000098
Affects: mime/multipart
Published: Feb 15, 2022
Modified: May 20, 2024

When parsing large multipart/form-data, an attacker can cause a HTTP server to open a large number of file descriptors. This may be used as a denial-of-service vector.

CVE-2016-3958
Affects: syscall
Published: Jan 05, 2022
Modified: May 20, 2024

Untrusted search path vulnerability on Windows related to LoadLibrary allows local users to gain privileges via a malicious DLL in the current working directory.

CVE-2015-8618
Affects: math/big
Published: Jan 05, 2022
Modified: May 20, 2024

Int.Exp Montgomery mishandled carry propagation and produced an incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors. This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way. Specifically, incorrect results in one part of the RSA Chinese Remainder computation can cause the result to be incorrect in such a way that it leaks one of the primes. While RSA blinding should prevent an attacker from crafting specific inputs that trigger the bug, on 32-bit systems the bug can be expected to occur at random around one in 2^26 times. Thus collecting around 64 million signatures (of known data) from an affected server should be enough to extract the private key used. Note that on 64-bit systems, the frequency of the bug is so low (less than one in 2^50) that it would be very difficult to exploit.

CVE-2015-5739, CVE-2015-5740, and 1 more
Affects: net/http
Published: Jan 05, 2022
Modified: May 20, 2024

HTTP headers were not properly parsed, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contains Content-Length and Transfer-Encoding header fields.

CVE-2014-7189
Affects: crypto/tls
Published: May 25, 2022
Modified: Jun 03, 2024

When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors. If the server enables TLS client authentication using certificates (this is rare) and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious client can falsely assert ownership of any client certificate it wishes.

CVE-2020-16845, GHSA-q6gq-997w-f55g
Affects: encoding/binary
Published: Jul 01, 2022
Modified: May 20, 2024

ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs. Certain invalid inputs to ReadUvarint or ReadVarint can cause these functions to read an unlimited number of bytes from the ByteReader parameter before returning an error. This can lead to processing more input than expected when the caller is reading directly from a network and depends on ReadUvarint or ReadVarint only consuming a small, bounded number of bytes, even from invalid inputs.

CVE-2021-38561, GHSA-ppp9-7jff-5vj2
Affects: golang.org/x/text
Published: Oct 06, 2021
Modified: May 20, 2024

Due to improper index calculation, an incorrectly formatted language tag can cause Parse to panic via an out of bounds read. If Parse is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.

CVE-2021-20329, GHSA-f6mq-5m25-4r72
Affects: go.mongodb.org/mongo-driver
Published: Jul 28, 2021
Modified: May 20, 2024

Due to improper input sanitization when marshalling Go objects into BSON, a maliciously constructed Go structure could allow an attacker to inject additional fields into a MongoDB document. Users are affected if they use this package to handle untrusted user input.

CVE-2020-15222, GHSA-v3q9-2p3m-7g43
Affects: github.com/ory/fosite
Published: Jul 28, 2021
Modified: May 20, 2024

Uniqueness of JWT IDs (jti) are not checked, allowing the JWT to be replayed.

CVE-2020-15223, GHSA-7mqr-2v3q-v2wm
Affects: github.com/ory/fosite
Published: Jul 28, 2021
Modified: May 20, 2024

Due to improper error handling, an error with the underlying token storage may cause a user to believe a token has been successfully revoked when it is in fact still valid. An attackers ability to exploit this relies on an ability to trigger errors in the underlying storage.

CVE-2020-15111, GHSA-9cx9-x2gp-9qvh
Affects: github.com/gofiber/fiber
Published: Jul 28, 2021
Modified: May 20, 2024

Due to improper input sanitization, a maliciously constructed filename could cause a file download to use an attacker controlled filename, as well as injecting additional headers into an HTTP response.

CVE-2021-4236, GHSA-5gjg-jgh4-gppm, and 1 more
Affects: github.com/ecnepsnai/web
Published: Jul 28, 2021
Modified: May 20, 2024

Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.

CVE-2020-36566, GHSA-jpf8-h7h7-3ppm
Affects: github.com/whyrusleeping/tar-utils
Published: Jul 28, 2021
Modified: May 20, 2024

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

CVE-2020-26265, GHSA-xw37-57qp-9mm4
Affects: github.com/ethereum/go-ethereum
Published: Jul 28, 2021
Modified: May 20, 2024

Due to an incorrect state calculation, a specific set of transactions could cause a consensus disagreement, causing users of this package to reject a canonical chain.

CVE-2021-28681, GHSA-74xm-qj29-cq8p
Affects: github.com/pion/webrtc/v3
Published: Jul 28, 2021
Modified: May 20, 2024

Due to improper error handling, DTLS connections were not killed when certificate verification failed, causing users who did not check the connection state to continue to use the connection. This could allow allow an attacker which holds the ICE password, but not a valid certificate, to bypass this restriction.

CVE-2020-26242, GHSA-jm5c-rv3w-w83m
Affects: github.com/holiman/uint256
Published: Jul 28, 2021
Modified: May 20, 2024

Due to improper bounds checking, certain mathematical operations can cause a panic via an out of bounds read. If this package is used to process untrusted user inputs, this may be used as a vector for a denial of service attack.

CVE-2019-11289, GHSA-5796-p3m6-9qj4
Affects: code.cloudfoundry.org/gorouter, github.com/cloudfoundry/gorouter
Published: Jul 28, 2021
Modified: May 20, 2024

Due to improper input validation, a maliciously crafted input can cause a panic, due to incorrect nonce size. If this package is used to decrypt user supplied messages without checking the size of supplied nonces, this may be used as a vector for a denial of service attack.

CVE-2019-0210, GHSA-jq7p-26h5-w78r
Affects: github.com/apache/thrift
Published: Jul 28, 2021
Modified: May 20, 2024

Due to an improper bounds check, parsing maliciously crafted messages can cause panics. If this package is used to parse untrusted input, this may be used as a vector for a denial of service attack.

CVE-2021-20291, GHSA-7qw8-847f-pggm
Affects: github.com/containers/storage
Published: Jul 28, 2021
Modified: May 20, 2024

Due to a goroutine deadlock, using github.com/containers/storage/pkg/archive.DecompressStream on a xz archive returns a reader which will hang indefinitely when Close is called. An attacker can use this to cause denial of service if they are able to cause the caller to attempt to decompress an archive they control.

CVE-2021-21272, GHSA-g5v4-5x39-vwhx
Affects: github.com/deislabs/oras
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper path validation, using the github.com/deislabs/oras/pkg/content.FileStore content store may result in directory traversal during archive extraction, allowing a malicious archive to write paths to arbitrary paths that the process can write to.

CVE-2021-21237, GHSA-cx3w-xqmc-84g5
Affects: github.com/git-lfs/git-lfs
Published: Apr 14, 2021
Modified: May 20, 2024

Due to the standard library behavior of exec.LookPath on Windows a number of methods may result in arbitrary code execution when cloning or operating on untrusted Git repositories.

CVE-2020-29242, CVE-2020-29243, and 6 more
Affects: github.com/dhowden/tag
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper bounds checking, a number of methods can trigger a panic due to attempted out-of-bounds reads. If the package is used to parse user supplied input, this may be used as a vector for a denial of service attack.

CVE-2020-8945, GHSA-m6wg-2mwg-4rfq
Affects: github.com/proglottis/gpgme
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper setting of finalizers, memory passed to C may be freed before it is used, leading to crashes due to memory corruption or possible code execution.

CVE-2020-8918, GHSA-5x29-3hr9-6wpw
Affects: github.com/google/go-tpm
Published: Apr 14, 2021
Modified: May 20, 2024

Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted, allowing them to use the created key.

CVE-2020-29529, GHSA-2g5j-5x95-r6hr
Affects: github.com/hashicorp/go-slug
Published: Apr 14, 2021
Modified: May 20, 2024

Protections against directory traversal during archive extraction can be bypassed by chaining multiple symbolic links within the archive. This allows a malicious attacker to cause files to be created outside of the target directory. Additionally if the attacker is able to read extracted files they may create symbolic links to arbitrary files on the system which the unpacker has permissions to read.

CVE-2020-15091, GHSA-6jqj-f58p-mrw3
Affects: github.com/tendermint/tendermint
Published: Apr 14, 2021
Modified: May 20, 2024

Proposed commits may contain signatures for blocks not contained within the commit. Instead of skipping these signatures, they cause failure during verification. A malicious proposer can use this to force consensus failures.

CVE-2020-10675, GHSA-rmh2-65xw-9m6q
Affects: github.com/buger/jsonparser
Published: Apr 14, 2021
Modified: May 20, 2024

Parsing malformed JSON which contain opening brackets, but not closing brackets, leads to an infinite loop. If operating on untrusted user input this can be used as a denial of service vector.

CVE-2019-3564, GHSA-x4rg-4545-4w7w
Affects: github.com/facebook/fbthrift
Published: Apr 14, 2021
Modified: May 20, 2024

Skip ignores unknown fields, rather than failing. A malicious user can craft small messages with unknown fields which can take significant resources to parse. If a server accepts messages from an untrusted user, it may be used as a denial of service vector.

CVE-2019-19921, GHSA-fh74-hm69-rqjw
Affects: github.com/opencontainers/runc
Published: Apr 14, 2021
Modified: May 20, 2024

A race while mounting volumes allows a possible symlink-exchange attack, allowing a user whom can start multiple containers with custom volume mount configurations to escape the container.

CVE-2019-19619, GHSA-wmwp-pggc-h4mj
Affects: github.com/documize/community
Published: Apr 14, 2021
Modified: May 20, 2024

HTML content in markdown is not sanitized during rendering, possibly allowing XSS if used to render untrusted user input.

CVE-2019-16884, GHSA-fgv8-vj5c-2ppq
Affects: github.com/opencontainers/runc, github.com/opencontainers/selinux
Published: Apr 14, 2021
Modified: May 20, 2024

AppArmor restrictions may be bypassed due to improper validation of mount targets, allowing a malicious image to mount volumes over e.g. /proc.

CVE-2019-16354, CVE-2019-16355, and 2 more
Affects: github.com/astaxie/beego
Published: Apr 14, 2021
Modified: May 20, 2024

Session data is stored using permissive permissions, allowing local users with filesystem access to read arbitrary data.

CVE-2019-12496, GHSA-vfxc-r2gx-v2vq
Affects: github.com/hybridgroup/gobot
Published: Apr 14, 2021
Modified: May 20, 2024

TLS certificate verification is skipped when connecting to a MQTT server. This allows an attacker who can MITM the connection to read, or forge, messages passed between the client and server.

CVE-2019-11939, GHSA-w3r9-r9w7-8h48
Affects: github.com/facebook/fbthrift
Published: Apr 14, 2021
Modified: May 20, 2024

Thrift Servers preallocate memory for the declared size of messages before checking the actual size of the message. This allows a malicious user to send messages that declare that they are significantly larger than they actually are, allowing them to force the server to allocate significant amounts of memory. This can be used as a denial of service vector.

CVE-2019-10214, GHSA-85p9-j7c9-v4gr
Affects: github.com/containers/image
Published: Apr 14, 2021
Modified: May 20, 2024

The HTTP client used to connect to the container registry authorization service explicitly disables TLS verification, allowing an attacker that is able to MITM the connection to steal credentials.

CVE-2018-18206, GHSA-vc3x-gx6c-g99f
Affects: github.com/bytom/bytom
Published: Apr 14, 2021
Modified: May 20, 2024

A malformed query can cause an out-of-bounds panic due to improper validation of arguments. If processing queries from untrusted parties, this may be used as a vector for denial of service attacks.

CVE-2018-17075, GHSA-5p4h-3377-7w67
Affects: golang.org/x/net
Published: Apr 14, 2021
Modified: May 20, 2024

The HTML parser does not properly handle "in frameset" insertion mode, and can be made to panic when operating on malformed HTML that contains <template> tags. If operating on user input, this may be a vector for a denial of service attack.

CVE-2018-16886, GHSA-h6xx-pmxh-3wgp
Affects: go.etcd.io/etcd
Published: Apr 14, 2021
Modified: May 20, 2024

A user can use a valid client certificate that contains a CommonName that matches a valid RBAC username to authenticate themselves as that user, despite lacking the required credentials. This may allow authentication bypass, but requires a certificate that is issued by a CA trusted by the server.

CVE-2018-14632, GHSA-gxhv-3hwf-wjp9
Affects: github.com/evanphx/json-patch
Published: Apr 14, 2021
Modified: May 20, 2024

A malicious JSON patch can cause a panic due to an out-of-bounds write attempt. This can be used as a denial of service vector if exposed to arbitrary user input.

CVE-2018-12018, GHSA-p5gc-957x-gfw9
Affects: github.com/ethereum/go-ethereum
Published: Apr 14, 2021
Modified: Jun 03, 2024

Due to improper argument validation in RPC messages, a maliciously crafted message can cause a panic, leading to denial of service.

CVE-2017-17831, GHSA-w4xh-w33p-4v29
Affects: github.com/git-lfs/git-lfs
Published: Apr 14, 2021
Modified: Jun 03, 2024

Arbitrary command execution can be triggered by improperly sanitized SSH URLs in LFS configuration files. This can be triggered by cloning a malicious repository.

CVE-2017-11468, GHSA-h62f-wm92-2cmw
Affects: github.com/docker/distribution
Published: Apr 14, 2021
Modified: May 20, 2024

Various storage methods do not impose limits on how much content is accepted from user requests, allowing a malicious user to force the caller to allocate an arbitrary amount of memory.

CVE-2015-1340, GHSA-8mpq-fmr3-6jxv
Affects: github.com/lxc/lxd
Published: Apr 14, 2021
Modified: Jun 03, 2024

A race between chown and chmod operations during a container filesystem shift may allow a user who can modify the filesystem to chmod an arbitrary path of their choice, rather than the expected path.

CVE-2016-3697, GHSA-q3j5-32m5-58c2
Affects: github.com/opencontainers/runc
Published: Apr 14, 2021
Modified: May 20, 2024

GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges.

CVE-2020-28362
Affects: math/big
Published: Apr 14, 2021
Modified: May 20, 2024

A number of math/big.Int methods can panic when provided large inputs due to a flawed division method.

CVE-2021-3115
Affects: cmd/go
Published: Apr 14, 2021
Modified: May 20, 2024

The go command may execute arbitrary code at build time when using cgo on Windows. This can be triggered by running go get on a malicious module, or any other time the code is built.

CVE-2021-27919
Affects: archive/zip
Published: Apr 14, 2021
Modified: May 20, 2024

Using Reader.Open on an archive containing a file with a path prefixed by "../" will cause a panic due to a stack overflow. If parsing user supplied archives, this may be used as a denial of service vector.

CVE-2020-8564, GHSA-8mjg-8c8g-6h85
Affects: k8s.io/kubernetes
Published: Apr 14, 2021
Modified: May 20, 2024

Attempting to read a malformed .dockercfg may cause secrets to be inappropriately logged.

CVE-2019-11250, GHSA-jmrx-5g74-6v2f
Affects: k8s.io/client-go
Published: Apr 14, 2021
Modified: Jul 19, 2024

Authorization tokens may be inappropriately logged if the verbosity level is set to a debug level.

CVE-2020-8565, GHSA-8cfg-vx93-jvxw
Affects: k8s.io/client-go
Published: Apr 14, 2021
Modified: Jul 19, 2024

Authorization tokens may be inappropriately logged if the verbosity level is set to a debug level. This is due to an incomplete fix for CVE-2019-11250.

CVE-2020-26264, GHSA-r33q-22hv-j29q
Affects: github.com/ethereum/go-ethereum
Published: Apr 14, 2021
Modified: May 20, 2024

Due to a nil pointer dereference, a maliciously crafted RPC message can cause a panic. If handling RPC messages from untrusted clients, this may be used as a denial of service vector.

CVE-2021-4235, GHSA-r88r-gmrh-7j83
Affects: gopkg.in/yaml.v2, github.com/go-yaml/yaml
Published: Apr 14, 2021
Modified: May 20, 2024

Due to unbounded alias chasing, a maliciously crafted YAML file can cause the system to consume significant system resources. If parsing user input, this may be used as a denial of service vector.

CVE-2020-29509, GHSA-xhqq-x44f-9fgg
Affects: github.com/russellhaering/gosaml2
Published: Apr 14, 2021
Modified: May 20, 2024

Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.

CVE-2020-35380, GHSA-w942-gw6m-p62c
Affects: github.com/tidwall/gjson
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.

CVE-2020-27846, GHSA-4hq8-gmxx-h6w9
Affects: github.com/crewjam/saml
Published: Apr 14, 2021
Modified: May 20, 2024

Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.

CVE-2020-35381, GHSA-8vrw-m3j9-j27c
Affects: github.com/buger/jsonparser
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.

CVE-2020-36067, GHSA-p64j-r5f4-pwwx
Affects: github.com/tidwall/gjson
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector.

CVE-2021-3121, GHSA-c3h9-896r-86jm
Affects: github.com/gogo/protobuf
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.

CVE-2020-28483, GHSA-h395-qcrw-5vmq
Affects: github.com/gin-gonic/gin
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper HTTP header sanitization, a malicious user can spoof their source IP address by setting the X-Forwarded-For header. This may allow a user to bypass IP based restrictions, or obfuscate their true source.

CVE-2020-36565, GHSA-j453-hm5x-c46w
Affects: github.com/labstack/echo/v4
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

CVE-2020-15216, GHSA-q547-gmf8-8jr7
Affects: github.com/russellhaering/goxmldsig
Published: Apr 14, 2021
Modified: May 20, 2024

Due to the behavior of encoding/xml, a crafted XML document may cause XML Digital Signature validation to be entirely bypassed, causing an unsigned document to appear signed.

CVE-2020-36564, GHSA-5x84-q523-vvwr
Affects: github.com/justinas/nosurf
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.

CVE-2020-25614, GHSA-93m7-c69f-5cfj
Affects: github.com/antchfx/xmlquery
Published: Apr 14, 2021
Modified: May 20, 2024

LoadURL does not check the Content-Type of loaded resources, which can cause a panic due to nil pointer deference if the loaded resource is not XML. If user supplied URLs are loaded, this may be used as a denial of service vector.

CVE-2020-36563, GHSA-5rhg-xhgr-5hfj
Affects: github.com/RobotsAndPencils/go-saml
Published: Apr 14, 2021
Modified: May 20, 2024

XML Digital Signatures generated and validated using this package use SHA-1, which may allow an attacker to craft inputs which cause hash collisions depending on their control over the input.

CVE-2020-7711, CVE-2020-7731, and 3 more
Affects: github.com/russellhaering/goxmldsig, github.com/russellhaering/gosaml2
Published: Apr 14, 2021
Modified: May 20, 2024

Due to a nil pointer dereference, a malformed XML Digital Signature can cause a panic during validation. If user supplied signatures are being validated, this may be used as a denial of service vector.

CVE-2016-15005, GHSA-q9qr-jwpw-3qvv
Affects: github.com/dinever/golf
Published: Apr 14, 2021
Modified: May 20, 2024

CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.

CVE-2018-21246, GHSA-gr7w-x2jp-3xgw
Affects: github.com/mholt/caddy
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper TLS verification when serving traffic for multiple SNIs, an attacker may bypass TLS client authentication by indicating an SNI during the TLS handshake that is different from the name in the HTTP Host header.

CVE-2020-7667, GHSA-9423-6c93-gpp8
Affects: github.com/sassoftware/go-rpmutils
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper path sanitization, RPMs containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

CVE-2020-7668, GHSA-88jf-7rch-32qc
Affects: github.com/unknwon/cae
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

CVE-2020-36562, GHSA-p6fg-723f-hgpw
Affects: github.com/shiyanhui/dht
Published: Apr 14, 2021
Modified: May 20, 2024

Due to unchecked type assertions, maliciously crafted messages can cause panics, which may be used as a denial of service vector.

CVE-2020-12666, GHSA-733f-44f3-3frw
Affects: gopkg.in/macaron.v1
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper request sanitization, a specifically crafted URL can cause the static file handler to redirect to an attacker chosen URL, allowing for open redirect attacks.

CVE-2019-20786, GHSA-7gfg-6934-mqq2
Affects: github.com/pion/dtls
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper verification of packets, unencrypted packets containing application data are accepted after the initial handshake. This allows an attacker to inject arbitrary data which the client/server believes was encrypted, despite not knowing the session key.

CVE-2019-25072, GHSA-3fm3-m23v-5r46
Affects: github.com/tendermint/tendermint
Published: Apr 14, 2021
Modified: May 20, 2024

Due to support of Gzip compression in request bodies, as well as a lack of limiting response body sizes, a malicious server can cause a client to consume a significant amount of system resources, which may be used as a denial of service vector.

CVE-2019-11254, GHSA-wxc4-f4m6-wwqv
Affects: gopkg.in/yaml.v2, github.com/go-yaml/yaml
Published: Apr 14, 2021
Modified: May 20, 2024

Due to unbounded aliasing, a crafted YAML file can cause consumption of significant system resources. If parsing user supplied input, this may be used as a denial of service vector.

CVE-2020-36561, GHSA-f5c5-hmw9-v8hx
Affects: github.com/yi-ge/unzip
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

CVE-2020-36560, GHSA-rmj9-q58g-9qgg
Affects: github.com/artdarek/go-unzip
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

CVE-2020-36559, GHSA-vp56-r7qv-783v
Affects: aahframe.work
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper sanitization of user input, HTTPEngine.Handle allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

CVE-2019-25073, GHSA-fjgq-224f-fq37
Affects: github.com/goadesign/goa, goa.design/goa, and 1 more
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper sanitization of user input, Controller.FileHandler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.

CVE-2018-17419, GHSA-9jcx-pr2f-qvq5
Affects: github.com/miekg/dns
Published: Apr 14, 2021
Modified: May 20, 2024

Due to a nil pointer dereference, parsing a malformed zone file containing TA records may cause a panic. If parsing user supplied input, this may be used as a denial of service vector.

CVE-2018-6558, GHSA-qj26-7grj-whg3
Affects: github.com/google/fscrypt
Published: Apr 14, 2021
Modified: May 20, 2024

After dropping and then elevating process privileges euid, guid, and groups are not properly restored to their original values, allowing an unprivileged user to gain membership in the root group.

CVE-2018-1103, GHSA-w55j-f7vx-6q37
Affects: github.com/openshift/source-to-image
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

CVE-2018-25046, GHSA-32qh-8vg6-9g43
Affects: code.cloudfoundry.org/archiver
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target directory.

CVE-2013-10005, GHSA-gxgj-xjcw-fv9p
Affects: github.com/btcsuite/go-socks, github.com/btcsuitereleases/go-socks
Published: Apr 14, 2021
Modified: May 20, 2024

The RemoteAddr and LocalAddr methods on the returned net.Conn may call themselves, leading to an infinite loop which will crash the program due to a stack overflow.

CVE-2015-10004, GHSA-5vw4-v588-pgv8
Affects: github.com/robbert229/jwt
Published: Apr 14, 2021
Modified: May 20, 2024

Token validation methods are susceptible to a timing side-channel during HMAC comparison. With a large enough number of requests over a low latency connection, an attacker may use this to determine the expected HMAC.

CVE-2014-125026, GHSA-4wp2-8rm2-jgmh
Affects: github.com/cloudflare/golz4
Published: Apr 14, 2021
Modified: May 20, 2024

LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input.

CVE-2014-8681, GHSA-mr6h-chqp-p9g2
Affects: github.com/gogits/gogs
Published: Apr 14, 2021
Modified: May 20, 2024

Due to improper sanitization of user input, a number of methods are vulnerable to SQL injection if used with user input that has not been sanitized by the caller.

CVE-2017-20146, GHSA-jcr6-mmjj-pchw
Affects: github.com/gorilla/handlers
Published: Apr 14, 2021
Modified: May 20, 2024

Usage of the CORS handler may apply improper CORS headers, allowing the requester to explicitly control the value of the Access-Control-Allow-Origin header, which bypasses the expected behavior of the Same Origin Policy.

CVE-2020-27813, GHSA-3xh2-74w9-5vxm, and 1 more
Affects: github.com/gorilla/websocket
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker can craft malicious WebSocket frames that cause an integer overflow in a variable which tracks the number of bytes remaining. This may cause the server or client to get stuck attempting to read frames in a loop, which can be used as a denial of service vector.

CVE-2020-26160, GHSA-w73w-5m7g-f7qc
Affects: github.com/dgrijalva/jwt-go, github.com/dgrijalva/jwt-go/v4
Published: Apr 14, 2021
Modified: May 20, 2024

If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.

CVE-2021-29482, GHSA-25xm-hr59-7c27
Affects: github.com/ulikunitz/xz
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker can construct a series of bytes such that calling Reader.Read on the bytes could cause an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.

CVE-2020-14040, GHSA-5rcv-m4m3-hfh7
Affects: golang.org/x/text
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to transform.String. If used to parse user supplied input, this may be used as a denial of service vector.

CVE-2018-17846, GHSA-vfw5-hrgq-h5wf
Affects: golang.org/x/net
Published: Apr 14, 2021
Modified: May 20, 2024

html.Parse does not properly handle "select" tags, which can lead to an infinite loop. If parsing user supplied input, this may be used as a denial of service vector.

CVE-2017-3204, GHSA-xhjq-w7xm-p8qj
Affects: golang.org/x/crypto
Published: Apr 14, 2021
Modified: May 20, 2024

By default host key verification is disabled which allows for man-in-the-middle attacks against SSH clients if ClientConfig.HostKeyCallback is not set.

CVE-2020-9283, GHSA-ffhg-7mh4-33c4
Affects: golang.org/x/crypto
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker can craft an ssh-ed25519 or [email protected] public key, such that the library will panic when trying to verify a signature with it. If verifying signatures using user supplied public keys, this may be used as a denial of service vector.

CVE-2016-9121, GHSA-86r9-39j9-99wp
Affects: github.com/square/go-jose
Published: Apr 14, 2021
Modified: May 20, 2024

When using ECDH-ES an attacker can mount an invalid curve attack during decryption as the supplied public key is not checked to be on the same curve as the receivers private key.

CVE-2016-9123, GHSA-3fx4-7f69-5mmg
Affects: github.com/square/go-jose
Published: Apr 14, 2021
Modified: May 20, 2024

On 32-bit platforms an attacker can manipulate a ciphertext encrypted with AES-CBC with HMAC such that they can control how large the input buffer is when computing the HMAC authentication tag. This can can allow a manipulated ciphertext to be verified as authentic, opening the door for padding oracle attacks.

CVE-2019-19794, GHSA-44r7-7p62-q3fr
Affects: github.com/miekg/dns
Published: Apr 14, 2021
Modified: May 20, 2024

DNS message transaction IDs are generated using math/rand which makes them relatively predictable. This reduces the complexity of response spoofing attacks against DNS clients.

CVE-2017-18367, GHSA-58v3-j75h-xr49
Affects: github.com/seccomp/libseccomp-golang
Published: Apr 14, 2021
Modified: May 20, 2024

Filters containing rules with multiple syscall arguments are improperly constructed, such that all arguments are required to match rather than any of the arguments (AND is used rather than OR). These filters can be bypassed by only specifying a subset of the arguments due to this behavior.

CVE-2017-15133, GHSA-p55x-7x9v-q8m4
Affects: github.com/miekg/dns
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker may prevent TCP connections to a Server by opening a connection and leaving it idle, until the connection is closed by the server no other connections will be accepted.

CVE-2020-15106, CVE-2020-15112, and 2 more
Affects: go.etcd.io/etcd
Published: Apr 14, 2021
Modified: May 20, 2024

Malformed WALs can be constructed such that WAL.ReadAll can cause attempted out of bounds reads, or creation of arbitrarily sized slices, which may be used as a DoS vector.

CVE-2020-36569, GHSA-hrm3-3xm6-x33h
Affects: github.com/nanobox-io/golang-nanoauth
Published: Apr 14, 2021
Modified: May 20, 2024

If any of the ListenAndServe functions are called with an empty token, token authentication is disabled globally for all listeners. Also, a minor timing side channel was present allowing attackers with very low latency and able to make many requests to potentially recover the token.

CVE-2020-36568, GHSA-hggr-p7v6-73p5
Affects: github.com/revel/revel
Published: Apr 14, 2021
Modified: May 20, 2024

An attacker can cause an application that accepts slice parameters (https://revel.github.io/manual/parameters.html#slices) to allocate large amounts of memory and crash through manipulating the request query sent to the application.

CVE-2020-36567, GHSA-6vm3-jj99-7229
Affects: github.com/gin-gonic/gin
Published: Apr 14, 2021
Modified: May 20, 2024

The default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL