Vulnerability Reports

• CVE-2024-9594
• Affects: github.com/kubernetes-sigs/image-builder
• Published: Oct 17, 2024
• Unreviewed

VM images built with Image Builder with some providers use default credentials during builds in github.com/kubernetes-sigs/image-builder

• CVE-2024-9486
• Affects: github.com/kubernetes-sigs/image-builder
• Published: Oct 17, 2024
• Unreviewed

VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder

• CVE-2023-22644
• Affects: github.com/neuvector/neuvector
• Published: Oct 15, 2024
• Unreviewed

JWT token compromise can allow malicious actions including Remote Code Execution (RCE) in github.com/neuvector/neuvector

• CVE-2024-48909, GHSA-3c32-4hq9-6wgj
• Affects: github.com/authzed/spicedb
• Published: Oct 15, 2024
• Unreviewed

SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not in github.com/authzed/spicedb

• GHSA-vv6c-69r6-chg9
• Affects: github.com/landlock-lsm/go-landlock
• Published: Oct 15, 2024
• Unreviewed

Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly in github.com/landlock-lsm/go-landlock. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

• CVE-2024-47877, GHSA-8rm2-93mq-jqhc
• Affects: github.com/codeclysm/extract, github.com/codeclysm/extract/v3, and 1 more
• Published: Oct 15, 2024
• Unreviewed

Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory. in github.com/codeclysm/extract

• CVE-2024-9180, GHSA-rr8j-7w34-xp5j
• Affects: github.com/hashicorp/vault
• Published: Oct 11, 2024
• Unreviewed

Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault

• CVE-2024-47067, GHSA-8pph-gfhp-w226
• Affects: github.com/alist-org/alist, github.com/alist-org/alist/v3
• Published: Oct 11, 2024
• Unreviewed

Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist

• CVE-2024-38365, GHSA-27vh-h6mc-q6g8
• Affects: github.com/btcsuite/btcd
• Published: Oct 15, 2024
• Modified: Oct 17, 2024

The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.

• CVE-2024-9312, GHSA-4gfw-wf7c-w6g2
• Affects: github.com/ubuntu/authd
• Published: Oct 11, 2024
• Unreviewed

Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd

• CVE-2024-9675, GHSA-586p-749j-fhwp
• Affects: github.com/containers/buildah
• Published: Oct 11, 2024
• Unreviewed

Buildah allows arbitrary directory mount in github.com/containers/buildah

• CVE-2024-47832
• Affects: github.com/ssoready/ssoready
• Published: Oct 11, 2024
• Unreviewed

XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready

• CVE-2024-36814, GHSA-9cp9-8gw2-8v7m
• Affects: github.com/AdguardTeam/AdGuardHome
• Published: Oct 11, 2024
• Unreviewed

Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome

• GHSA-wpr2-j6gr-pjw9
• Affects: github.com/opentofu/opentofu
• Published: Oct 09, 2024
• Unreviewed

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu

• CVE-2024-9313, GHSA-x5q3-c8rm-w787
• Affects: github.com/ubuntu/authd
• Published: Oct 09, 2024
• Unreviewed

PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/ubuntu/authd before v0.0.0-20240930103526-63e527496b01.

• CVE-2024-47616, GHSA-r7rh-jww5-5fjr
• Affects: github.com/pomerium/pomerium
• Published: Oct 09, 2024
• Unreviewed

Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

• CVE-2024-8038, GHSA-xwgj-vpm9-q2rq
• Affects: github.com/juju/juju
• Published: Oct 09, 2024
• Unreviewed

Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju before v0.0.0-20240829052008-43f0fc59790d.

• CVE-2024-8037, GHSA-8v4w-f4r9-7h6x
• Affects: github.com/juju/juju
• Published: Oct 09, 2024
• Unreviewed

Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju

• CVE-2024-7558, GHSA-mh98-763h-m9v4
• Affects: github.com/juju/juju
• Published: Oct 09, 2024
• Unreviewed

JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju

• CVE-2024-33662, GHSA-9mjw-79r6-c9m8
• Affects: github.com/portainer/portainer
• Published: Oct 09, 2024
• Unreviewed

Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/portainer/portainer before v2.20.2.

• CVE-2024-9341, GHSA-mc76-5925-c5p6
• Affects: github.com/containers/common
• Published: Oct 14, 2024
• Unreviewed

Link Following in github.com/containers/common

• CVE-2024-8996, GHSA-m5gv-m5f9-wgv4
• Affects: github.com/grafana/agent
• Published: Oct 09, 2024
• Unreviewed

Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/agent

• CVE-2024-9407, GHSA-fhqq-8f65-5xfc
• Affects: github.com/containers/buildah, github.com/containers/podman, and 4 more
• Published: Oct 09, 2024
• Unreviewed

Improper Input Validation in Buildah and Podman in github.com/containers/buildah

• CVE-2024-8975, GHSA-chqx-36rm-rf8h
• Affects: github.com/grafana/alloy
• Published: Oct 09, 2024
• Unreviewed

Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy

• CVE-2024-9355, GHSA-3h3x-2hwv-hr52
• Affects: github.com/golang-fips/openssl, github.com/golang-fips/openssl/v2
• Published: Oct 09, 2024
• Unreviewed

Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl

• CVE-2024-47534, GHSA-4f8r-qqr9-fq8j
• Affects: github.com/theupdateframework/go-tuf/v2
• Published: Oct 09, 2024
• Modified: Oct 14, 2024
• Unreviewed

Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

• CVE-2024-47003, GHSA-59hf-mpf8-pqjh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Oct 10, 2024
• Unreviewed

Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server

• CVE-2024-47182
• Affects: github.com/amir20/dozzle
• Published: Oct 09, 2024
• Unreviewed

Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/amir20/dozzle before v8.5.3.

• CVE-2024-7594, GHSA-jg74-mwgw-v6x3
• Affects: github.com/hashicorp/vault
• Published: Oct 09, 2024
• Unreviewed

Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault

• CVE-2024-22030, GHSA-h4h5-9833-v2p4
• Affects: github.com/rancher/rancher
• Published: Oct 09, 2024
• Unreviewed

Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.15, from v2.8.0 before v2.8.8, from v2.9.0 before v2.9.2.

• CVE-2024-45042, GHSA-wc43-73w7-x2f5
• Affects: github.com/ory/kratos
• Published: Sep 26, 2024
• Unreviewed

Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos

• CVE-2024-40761, GHSA-48cr-j2cx-mcr8
• Affects: github.com/apache/incubator-answer
• Published: Sep 26, 2024
• Unreviewed

Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer

• CVE-2024-46957, GHSA-98hf-m87w-cq6h
• Affects: mellium.im/xmpp
• Published: Sep 26, 2024
• Unreviewed

Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp

• CVE-2024-47219
• Affects: github.com/vesoft-inc/nebula
• Published: Sep 26, 2024
• Unreviewed

CVE-2024-47219 in github.com/vesoft-inc/nebula

• CVE-2024-47218
• Affects: github.com/vesoft-inc/nebula
• Published: Sep 26, 2024
• Unreviewed

CVE-2024-47218 in github.com/vesoft-inc/nebula

• CVE-2024-47062, GHSA-58vj-cv5w-v4v6
• Affects: github.com/navidrome/navidrome
• Published: Sep 26, 2024
• Unreviewed

Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome

• CVE-2024-8260, GHSA-c77r-fh37-x2px
• Affects: github.com/open-policy-agent/opa
• Published: Sep 20, 2024

OPA for Windows has an SMB force-authentication vulnerability. Due to improper input validation, it allows a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

• CVE-2024-47000, GHSA-qr2h-7pwm-h393
• Affects: github.com/zitadel/zitadel
• Published: Sep 26, 2024
• Unreviewed

ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

• CVE-2024-47060, GHSA-jj94-6f5c-65r8
• Affects: github.com/zitadel/zitadel
• Published: Sep 26, 2024
• Unreviewed

ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

• CVE-2024-46999, GHSA-2w5j-qfvw-2hf5
• Affects: github.com/zitadel/zitadel
• Published: Sep 26, 2024
• Unreviewed

ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

• CVE-2023-27584, GHSA-hpc8-7wpm-889w
• Affects: d7y.io/dragonfly/v2
• Published: Sep 26, 2024
• Unreviewed

Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly

• CVE-2024-45410, GHSA-62c8-mh53-4cqv
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Sep 26, 2024
• Unreviewed

HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik

• CVE-2023-30464, GHSA-h92q-fgpp-qhrq
• Affects: github.com/coredns/coredns
• Published: Sep 25, 2024
• Modified: Sep 26, 2024

CoreDNS enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.

• CVE-2023-47105, GHSA-723h-x37g-f8qm
• Affects: github.com/chaosblade-io/chaosblade
• Published: Sep 25, 2024
• Unreviewed

Chaosblade vulnerable to OS command execution in github.com/chaosblade-io/chaosblade

• CVE-2024-46989, GHSA-jhg6-6qrx-38mr
• Affects: github.com/authzed/spicedb
• Published: Sep 25, 2024
• Unreviewed

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb

• CVE-2023-28452, GHSA-hfmw-7g3m-gj6q
• Affects: github.com/coredns/coredns
• Published: Sep 25, 2024
• Unreviewed

CoreDNS vulnerable to TuDoor Attacks in github.com/coredns/coredns

• CVE-2024-7387, GHSA-qqv8-ph7f-h3f7
• Affects: github.com/openshift/builder
• Published: Sep 18, 2024
• Unreviewed

OpenShift Builder has a path traversal, allows command injection in privileged BuildContainer in github.com/openshift/builder

• CVE-2024-45496, GHSA-j8gh-87rx-c7w9
• Affects: github.com/openshift/openshift-controller-manager
• Published: Sep 18, 2024
• Unreviewed

OpenShift Controller Manager Improper Privilege Management in github.com/openshift/openshift-controller-manager. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/openshift/openshift-controller-manager before v0.0.0-alpha.0.0.20240911.

• CVE-2024-45041, GHSA-qwgc-rr35-h4x9
• Affects: github.com/external-secrets/external-secrets
• Published: Sep 13, 2024
• Unreviewed

External Secrets Operator vulnerable to privilege escalation in github.com/external-secrets/external-secrets

• CVE-2024-8572, GHSA-pv7h-hg6m-82j8
• Affects: github.com/gouniverse/cms
• Published: Sep 13, 2024
• Unreviewed

Gouniverse GoLang CMS vulnerable to Cross-site Scripting in github.com/gouniverse/cms

• CVE-2023-46565, GHSA-6rqv-5cg7-m4x3
• Affects: github.com/osrg/gobgp/v3
• Published: Sep 17, 2024

Buffer Overflow vulnerability allows a remote attacker to cause a denial of service via an fsm error handling function.

• CVE-2024-45040, GHSA-9xcg-3q8v-7fq6
• Affects: github.com/consensys/gnark
• Published: Sep 13, 2024

Commitments to private witnesses in Groth16 as implemented break zero-knowledge property in github.com/consensys/gnark

• GHSA-7q74-g774-7x3g
• Affects: github.com/cosmos/interchain-security, github.com/cosmos/interchain-security/v2, and 3 more
• Published: Sep 06, 2024
• Unreviewed

Interchain Security: The signers of ICS messages do not need to match the provider address in github.com/cosmos/interchain-security

• CVE-2024-45401, GHSA-fv4g-gwpj-74gr
• Affects: github.com/stripe/stripe-cli
• Published: Sep 06, 2024
• Unreviewed

Path traversal vulnerability in stripe-cli in github.com/stripe/stripe-cli

• CVE-2024-8462
• Affects: github.com/windmill-labs/windmill
• Published: Sep 06, 2024
• Unreviewed

Windmill HTTP Request users.rs excessive authentication in github.com/windmill-labs/windmill

• CVE-2024-45395, GHSA-cq38-jh5f-37mq
• Affects: github.com/sigstore/sigstore-go
• Published: Sep 06, 2024
• Unreviewed

sigstore-go has an unbounded loop over untrusted input can lead to endless data attack in github.com/sigstore/sigstore-go

• CVE-2024-43405, GHSA-7h5p-mmpp-hgmm
• Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
• Published: Sep 06, 2024
• Unreviewed

Nuclei Template Signature Verification Bypass in github.com/projectdiscovery/nuclei

• CVE-2024-8365, GHSA-jjxf-26c9-77gm
• Affects: github.com/hashicorp/vault
• Published: Sep 06, 2024
• Unreviewed

Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault

• GHSA-g5xx-c4hv-9ccc
• Affects: github.com/cometbft/cometbft
• Published: Sep 13, 2024

CometBFT's state syncing validator from malicious node may lead to a chain split github.com/cometbft/cometbft

• CVE-2024-45310, GHSA-jfvp-7x6p-h2pv
• Affects: github.com/opencontainers/runc
• Published: Sep 06, 2024
• Unreviewed

runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc

• CVE-2024-45388, GHSA-6xx4-x46f-f897
• Affects: github.com/SpectoLabs/hoverfly
• Published: Sep 06, 2024
• Unreviewed

Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly

• CVE-2024-34158
• Affects: go/build/constraint
• Published: Sep 06, 2024

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

• CVE-2024-34156
• Affects: encoding/gob
• Published: Sep 06, 2024

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

• CVE-2024-34155
• Affects: go/parser
• Published: Sep 06, 2024

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

• CVE-2024-45436, GHSA-846m-99qv-67mg
• Affects: github.com/ollama/ollama
• Published: Aug 30, 2024
• Unreviewed

Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama

• CVE-2024-45054, GHSA-mgwr-h7mv-fh29
• Affects: github.com/hwameistor/hwameistor
• Published: Aug 30, 2024
• Unreviewed

Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor

• CVE-2024-45043, GHSA-prf6-xjxh-p698
• Affects: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver
• Published: Aug 30, 2024
• Unreviewed

OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver

• CVE-2024-43798, GHSA-38jh-8h67-m7mj
• Affects: github.com/jpillora/chisel
• Published: Aug 30, 2024
• Unreviewed

Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel

• CVE-2024-45244, GHSA-48gg-32q2-4r6m
• Affects: github.com/hyperledger/fabric
• Published: Aug 30, 2024
• Unreviewed

Hyperledger Fabric does not verify request has a timestamp within the expected time window in github.com/hyperledger/fabric

• CVE-2024-45258, GHSA-cj55-gc7m-wvcq
• Affects: github.com/imroc/req, github.com/imroc/req/v2, and 1 more
• Published: Sep 13, 2024

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests. Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).

• CVE-2024-40886, GHSA-hrf9-rm95-fpf3
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server

• CVE-2024-39836, GHSA-c6vp-jjgv-38wj
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server

• CVE-2024-43105, GHSA-869f-px86-vj84
• Affects: github.com/mattermost/mattermost-plugin-channel-export
• Published: Aug 30, 2024
• Unreviewed

Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export

• CVE-2024-8071, GHSA-5263-pm2h-m7hw
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server

• CVE-2024-32939, GHSA-4ww8-fprq-cq34
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server

• CVE-2024-39777, GHSA-q22q-2rrf-m27p
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server

• CVE-2024-42497, GHSA-fxq9-6946-34q7
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server

• CVE-2024-40884, GHSA-3j95-8g47-fpwh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server

• CVE-2024-43780, GHSA-2jhx-w3vc-w59g
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server

• CVE-2024-41659, GHSA-p4fx-qf2h-jpmj
• Affects: github.com/usememos/memos
• Published: Aug 30, 2024
• Unreviewed

memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos

• CVE-2024-41657, GHSA-mchx-7j67-8mcf
• Affects: github.com/casdoor/casdoor
• Published: Aug 30, 2024
• Unreviewed

Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor

• CVE-2024-41658, GHSA-gv2p-4mvg-g32h
• Affects: github.com/casdoor/casdoor
• Published: Aug 30, 2024
• Unreviewed

Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor

• CVE-2024-42490, GHSA-qxqc-27pr-wgc8
• Affects: goauthentik.io
• Published: Aug 30, 2024
• Unreviewed

GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: goauthentik.io before v2024.4.4, from v2024.6.0-rc1 before v2024.6.4.

• CVE-2024-6508, GHSA-4crf-28c7-v4gr
• Affects: github.com/openshift/console
• Published: Aug 30, 2024
• Unreviewed

Openshift Console insufficient entropy vulnerability in github.com/openshift/console

• GHSA-g8w7-7vgg-x7xg
• Affects: github.com/CosmWasm/wasmd
• Published: Aug 30, 2024
• Unreviewed

CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd

• GHSA-fpgj-cr28-fvpx
• Affects: github.com/CosmWasm/wasmd
• Published: Aug 30, 2024
• Unreviewed

CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd

• CVE-2024-43403, GHSA-h27c-6xm3-mcqp
• Affects: github.com/kanisterio/kanister
• Published: Aug 22, 2024
• Unreviewed

Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister

• CVE-2024-6322, GHSA-hh8p-374f-qgr5
• Affects: github.com/grafana/grafana
• Published: Aug 22, 2024
• Unreviewed

Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v11.1.0 before v11.1.1, from v11.1.2 before v11.1.3.

• CVE-2024-43406, GHSA-r5ph-4jxm-6j9p
• Affects: github.com/lf-edge/ekuiper
• Published: Aug 22, 2024
• Unreviewed

LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper

• CVE-2024-39690, GHSA-mq69-4j5w-3qwp
• Affects: github.com/projectcapsule/capsule
• Published: Aug 22, 2024
• Unreviewed

Capsule tenant owner with "patch namespace" permission can hijack system namespaces in github.com/projectcapsule/capsule

• CVE-2024-43379, GHSA-3r74-v83p-f4f4
• Affects: github.com/trufflesecurity/trufflehog, github.com/trufflesecurity/trufflehog/v3
• Published: Aug 22, 2024
• Unreviewed

Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog

• CVE-2024-7646
• Affects: github.com/kubernetes/ingress-nginx
• Published: Aug 19, 2024
• Unreviewed

CVE-2024-7646 in github.com/kubernetes/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/kubernetes/ingress-nginx before v1.11.2.

• CVE-2024-42486, GHSA-vwf8-q6fw-4wcm
• Affects: github.com/cilium/cilium
• Published: Aug 19, 2024
• Unreviewed

Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium

• CVE-2024-7625, GHSA-25qx-vfw2-fw8r
• Affects: github.com/hashicorp/nomad
• Published: Aug 19, 2024
• Unreviewed

Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/nomad from v0.6.1 before v1.6.14, from v1.7.0 before v1.7.11, from v1.8.0 before v1.8.3.

• CVE-2024-42488, GHSA-q7w8-72mr-vpgw
• Affects: github.com/cilium/cilium
• Published: Aug 16, 2024
• Unreviewed

Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

• CVE-2024-42487, GHSA-qcm3-7879-xcww
• Affects: github.com/cilium/cilium
• Published: Aug 16, 2024
• Unreviewed

Gateway API route matching order contradicts specification in github.com/cilium/cilium

• CVE-2024-32231, GHSA-75jf-52jg-qqh4
• Affects: github.com/stashapp/stash
• Published: Aug 16, 2024
• Modified: Aug 19, 2024
• Unreviewed

SQL injection in github.com/stashapp/stash

• GHSA-83qr-9v2h-qxp4
• Affects: github.com/cosmos/gaia/v14, github.com/cosmos/gaia/v15, and 2 more
• Published: Aug 19, 2024
• Unreviewed

Missing check for the height of cryptographic equivocation evidence in github.com/cosmos/gaia

• CVE-2024-42368, GHSA-rfxf-mf63-cpqv
• Affects: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension
• Published: Aug 13, 2024
• Modified: Aug 19, 2024
• Unreviewed

open-telemetry has an Observable Timing Discrepancy in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension

• CVE-2024-41888, GHSA-v3x9-wrq5-868j
• Affects: github.com/apache/incubator-answer
• Published: Aug 13, 2024
• Unreviewed

Apache Answer: The link for resetting user password is not Single-Use in github.com/apache/incubator-answer

• CVE-2024-41890, GHSA-gvpv-r32v-9737
• Affects: github.com/apache/incubator-answer
• Published: Aug 13, 2024
• Unreviewed

Apache Answer: The link to reset the user's password will remain valid after sending a new link in github.com/apache/incubator-answer

• CVE-2024-42480, GHSA-6r4j-4rjc-8vw5
• Affects: github.com/clastix/kamaji
• Published: Aug 13, 2024
• Unreviewed

RBAC Roles for `etcd` created by Kamaji are not disjunct in github.com/clastix/kamaji

• CVE-2024-42473, GHSA-3f6g-m4hr-59h8
• Affects: github.com/openfga/openfga
• Published: Aug 13, 2024
• Modified: Aug 15, 2024
• Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

• GHSA-m3rh-cvr5-x6q4
• Affects: github.com/CosmWasm/wasmd
• Published: Aug 13, 2024
• Unreviewed

CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd

• CVE-2024-41270, GHSA-p3pf-mff8-3h47
• Affects: github.com/appleboy/gorush
• Published: Aug 19, 2024

An issue in the RunHTTPServer function in Gorush allows attackers to intercept and manipulate data due to the use of a deprecated TLS version.

• CVE-2024-41260, GHSA-9v35-4xcr-w9ph
• Affects: github.com/netbirdio/netbird
• Published: Aug 13, 2024
• Unreviewed

NetBird uses a static initialization vector (IV) in github.com/netbirdio/netbird

• CVE-2024-6886, GHSA-4h4p-553m-46qh
• Affects: code.gitea.io/gitea
• Published: Aug 06, 2024
• Unreviewed

Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea

• CVE-2024-29191, GHSA-wv8x-3w6r-6h7v
• Affects: github.com/AlexxIT/go2rtc
• Published: Aug 06, 2024
• Unreviewed

gotortc Cross-site Scripting vulnerability in github.com/AlexxIT/go2rtc

• CVE-2024-29026, GHSA-v99w-r56h-g23v
• Affects: github.com/owncast/owncast
• Published: Aug 06, 2024
• Unreviewed

Owncast Cross-Site Request Forgery vulnerability in github.com/owncast/owncast

• CVE-2024-29193, GHSA-rh4r-f7f7-r99m
• Affects: github.com/AlexxIT/go2rtc
• Published: Aug 06, 2024
• Unreviewed

gotortc Cross-site Scripting vulnerability in github.com/AlexxIT/go2rtc

• CVE-2024-29192, GHSA-qgj8-g9q4-7f2p
• Affects: github.com/AlexxIT/go2rtc
• Published: Aug 06, 2024
• Unreviewed

gotortc vulnerable to Cross-Site Request Forgery in github.com/AlexxIT/go2rtc

• CVE-2024-35182, GHSA-h7cm-jvpp-69xf
• Affects: github.com/layer5io/meshery
• Published: Aug 06, 2024
• Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/layer5io/meshery before v0.7.22.

• CVE-2024-35181, GHSA-9f24-jrv4-f8g5
• Affects: github.com/layer5io/meshery
• Published: Aug 06, 2024
• Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/layer5io/meshery before v0.7.22.

• CVE-2024-29029, GHSA-9cqm-mgv9-vv9j
• Affects: github.com/usememos/memos
• Published: Aug 06, 2024
• Unreviewed

memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos

• CVE-2023-48703, GHSA-6h53-q94j-348w
• Affects: github.com/RobotsAndPencils/go-saml
• Published: Aug 06, 2024
• Unreviewed

RobotsAndPencils go-saml authentication bypass vulnerability in github.com/RobotsAndPencils/go-saml

• CVE-2024-29028, GHSA-6fcf-g3mp-xj2x
• Affects: github.com/usememos/memos
• Published: Aug 06, 2024
• Unreviewed

memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta in github.com/usememos/memos

• CVE-2024-29030, GHSA-65fm-2jgr-j7qq
• Affects: github.com/usememos/memos
• Published: Aug 06, 2024
• Unreviewed

memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos

• CVE-2024-29031, GHSA-652r-q29p-m25h
• Affects: github.com/layer5io/meshery
• Published: Aug 06, 2024
• Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery

• CVE-2023-26494, GHSA-5fwq-9x7j-2qpg
• Affects: go.thethings.network/lorawan-stack, go.thethings.network/lorawan-stack/v3
• Published: Aug 06, 2024
• Unreviewed

lorawan-stack Open Redirect vulnerability in go.thethings.network/lorawan-stack

• CVE-2024-3056, GHSA-rpcc-p8xm-rc6p
• Affects: github.com/containers/podman, github.com/containers/podman/v2, and 3 more
• Published: Aug 06, 2024
• Unreviewed

Podman vulnerable to memory-based denial of service in github.com/containers/podman

• GHSA-6vjm-54vp-mxhx
• Affects: github.com/juju/juju
• Published: Aug 06, 2024
• Unreviewed

Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju before v2.9.50, from v3.0.0 before v3.1.9, from v3.2.0 before v3.3.6, from v3.4.0 before v3.4.5, from v3.5.0 before v3.5.3.

• CVE-2024-41820, GHSA-3wfj-3x8q-hrpg
• Affects: github.com/kubean-io/kubean
• Published: Aug 06, 2024
• Modified: Aug 19, 2024
• Unreviewed

Kubean vulnerable to cluster-level privilege escalation in github.com/kubean-io/kubean

• GHSA-qv35-3gw6-8q4j
• Affects: github.com/regclient/regclient
• Published: Aug 06, 2024
• Unreviewed

In regclient, pinned manifest digests may be ignored in github.com/regclient/regclient

• CVE-2024-37286, GHSA-f6cj-4h3g-hwq4
• Affects: github.com/elastic/apm-server
• Published: Aug 06, 2024
• Unreviewed

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/elastic/apm-server before v8.14.0.

• CVE-2024-41265, GHSA-vw7g-3cc7-7rmh
• Affects: github.com/cortexproject/cortex
• Published: Aug 06, 2024
• Unreviewed

cortex establishes TLS connections with `InsecureSkipVerify` set to `true` in github.com/cortexproject/cortex

• CVE-2024-41256, GHSA-mpvx-whpp-99xj
• Affects: github.com/mickael-kerjean/filestash
• Published: Aug 06, 2024
• Unreviewed

Filestash skips TLS certificate verification process when sending out email verification codes in github.com/mickael-kerjean/filestash

• CVE-2024-36533, GHSA-5g3x-8g2v-r8x8
• Affects: volcano.sh/volcano
• Published: Aug 06, 2024
• Unreviewed

Volcano has insecure permissions in volcano.sh/volcano

• CVE-2024-41255, GHSA-4jmm-c6jw-g796
• Affects: github.com/mickael-kerjean/filestash
• Published: Aug 06, 2024
• Modified: Aug 19, 2024
• Unreviewed

Filestash configured to skip TLS certificate verification when using the FTPS protocol in github.com/mickael-kerjean/filestash

• CVE-2024-39837, GHSA-vvpg-55p7-5h8w
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server

• CVE-2024-41162, GHSA-jr9x-3x7m-4j75
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server

• CVE-2024-29977, GHSA-jq3g-xqpx-37x3
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server

• CVE-2024-41259, GHSA-hrmx-8jjv-g758
• Affects: github.com/navidrome/navidrome
• Published: Aug 06, 2024
• Unreviewed

Navidrome uses MD5 hashing algorithm in github.com/navidrome/navidrome

• CVE-2024-39274, GHSA-cmc8-222c-vqp9
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server

• CVE-2024-36536, GHSA-c9cm-5j82-m6pj
• Affects: github.com/fabedge/fabedge
• Published: Aug 06, 2024
• Unreviewed

fabedge has insecure permissions in github.com/fabedge/fabedge

• CVE-2024-41264, GHSA-67fw-w8f2-88wp
• Affects: github.com/casdoor/casdoor
• Published: Aug 06, 2024
• Unreviewed

casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification in github.com/casdoor/casdoor

• CVE-2024-36492, GHSA-56mc-f9w7-2wxq
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server

• CVE-2024-39839, GHSA-vg6q-84p8-qvqh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server

• CVE-2024-41144, GHSA-vg67-chm7-8m3j
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server

• CVE-2024-41926, GHSA-9fpw-c9x7-cv3j
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server

• CVE-2024-39832, GHSA-762m-4cx6-6mf4
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server

• CVE-2024-41956, GHSA-m445-w3xr-vp2f
• Affects: github.com/charmbracelet/soft-serve
• Published: Aug 06, 2024
• Unreviewed

soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests in github.com/charmbracelet/soft-serve

• CVE-2024-40464, GHSA-r6qh-j42j-pw64
• Affects: github.com/beego/beego/v2
• Published: Aug 19, 2024

Beego privilege escalation vulnerability via sendMail in github.com/beego/beego/v2

• CVE-2024-41953, GHSA-v333-7h2p-5fhv
• Affects: github.com/zitadel/zitadel
• Published: Aug 06, 2024
• Unreviewed

ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.52.0 before v2.52.3, from v2.53.0 before v2.53.9, from v2.54.0 before v2.54.8, from v2.55.0 before v2.55.5, from v2.56.0 before v2.56.2, from v2.57.0 before v2.57.1, from v2.58.0 before v2.58.1.

• CVE-2024-41952, GHSA-567v-6hmg-6qg7
• Affects: github.com/zitadel/zitadel
• Published: Aug 06, 2024
• Unreviewed

ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.53.0 before v2.53.9, from v2.54.0 before v2.54.8, from v2.55.0 before v2.55.5, from v2.56.0 before v2.56.2, from v2.57.0 before v2.57.1, from v2.58.0 before v2.58.1.

• CVE-2024-22278, GHSA-hw28-333w-qxp3
• Affects: github.com/goharbor/harbor
• Published: Aug 06, 2024
• Unreviewed

Harbor fails to validate the user permissions when updating project configurations in github.com/goharbor/harbor

• Affects: github.com/PromonLogicalis/asn1
• Published: Jul 31, 2024

Version 7bdca06d0edf of the github.com/PromonLogicalis/asn1 module contains malicious code which downloads a program from a remote web server and executes it.

• GHSA-wm25-j4gw-6vr3
• Affects: github.com/prest/prest
• Published: Aug 06, 2024
• Unreviewed

pREST vulnerable to jwt bypass + sql injection in github.com/prest/prest

• CVE-2024-6984
• Affects: github.com/juju/juju
• Published: Aug 06, 2024
• Unreviewed

CVE-2024-6984 in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju from v2.9.0 before v2.9.50, from v3.1.0 before v3.1.9, from v3.3.0 before v3.3.5, from v3.4.0 before v3.4.5, from v3.5.0 before v3.5.3.

• CVE-2024-29069, GHSA-69p6-gp5x-j269
• Affects: github.com/snapcore/snapd
• Published: Aug 06, 2024
• Unreviewed

snapd failed to properly check the destination of symbolic links when extracting a snap in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

• CVE-2024-29068, GHSA-64jh-cjwc-w8q6
• Affects: github.com/snapcore/snapd
• Published: Aug 06, 2024
• Unreviewed

snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

• CVE-2024-1724, GHSA-4mh8-9689-38vr
• Affects: github.com/snapcore/snapd
• Published: Aug 06, 2024
• Unreviewed

snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

• CVE-2024-41666, GHSA-v8wx-v5jq-qhhw
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Aug 06, 2024
• Unreviewed

The Argo CD web terminal session does not handle the revocation of user permissions properly in github.com/argoproj/argo-cd

• CVE-2024-41110
• Affects: github.com/moby/moby, github.com/docker/docker
• Published: Jul 29, 2024

Moby authz zero length regression in github.com/moby/moby

• CVE-2024-40634, GHSA-jmvp-698c-4x3w
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Aug 06, 2024
• Unreviewed

Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

• CVE-2024-41121, GHSA-xw35-rrcp-g7xm
• Affects: go.woodpecker-ci.org/woodpecker, go.woodpecker-ci.org/woodpecker/v2
• Published: Aug 06, 2024
• Unreviewed

Woodpecker's custom workspace allow to overwrite plugin entrypoint executable in go.woodpecker-ci.org/woodpecker

• CVE-2024-41122, GHSA-3wf2-2pq4-4rvc
• Affects: go.woodpecker-ci.org/woodpecker, go.woodpecker-ci.org/woodpecker/v2
• Published: Aug 06, 2024
• Unreviewed

Woodpecker's custom environment variables allow to alter execution flow of plugins in go.woodpecker-ci.org/woodpecker

• CVE-2024-21583
• Affects: github.com/gitpod-io/gitpod, github.com/gitpod-io/gitpod/components/server/go, and 2 more
• Published: Jul 22, 2024
• Modified: Sep 06, 2024
• Unreviewed

CVE-2024-21583 in github.com/gitpod-io/gitpod. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/gitpod-io/gitpod before v0.1.5-main-gha.27122; github.com/gitpod-io/gitpod/components/server/go before main-gha.27122; github.com/gitpod-io/gitpod/components/ws-proxy before main-gha.27122; github.com/gitpod-io/gitpod/install/installer before main-gha.27122.

• CVE-2024-21527
• Affects: github.com/gotenberg/gotenberg/v7, github.com/gotenberg/gotenberg/v8
• Published: Jul 22, 2024
• Unreviewed

CVE-2024-21527 in github.com/gotenberg/gotenberg

• CVE-2024-5321, GHSA-82m2-cv7p-4m75
• Affects: k8s.io/kubernetes
• Published: Jul 22, 2024
• Unreviewed

Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

• CVE-2024-41111, GHSA-hc5w-gxxr-w8x8
• Affects: github.com/bishopfox/sliver
• Published: Jul 22, 2024
• Modified: Aug 19, 2024
• Unreviewed

Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/bishopfox/sliver before v1.6.0.

• CVE-2024-39911
• Affects: github.com/1Panel-dev/1Panel
• Published: Jul 22, 2024
• Unreviewed

1Panel SQL injection in github.com/1Panel-dev/1Panel

• CVE-2024-39907, GHSA-5grx-v727-qmq6
• Affects: github.com/1Panel-dev/1Panel
• Published: Jul 22, 2024
• Unreviewed

1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.12-tls.

• CVE-2024-40641, GHSA-c3q9-c27p-cw9h
• Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
• Published: Jul 22, 2024
• Unreviewed

projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei

• CVE-2024-6535, GHSA-w799-v85j-88pg
• Affects: github.com/skupperproject/skupper
• Published: Jul 22, 2024
• Modified: Aug 19, 2024
• Unreviewed

Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper

• CVE-2024-40632
• Affects: github.com/linkerd/linkerd2
• Published: Jul 22, 2024

Linkerd potential access to the shutdown endpoint in github.com/linkerd/linkerd2

• CVE-2024-6468, GHSA-2qmw-pvf7-4mw6
• Affects: github.com/hashicorp/vault
• Published: Jul 12, 2024
• Modified: Aug 19, 2024
• Unreviewed

Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/vault before v1.15.12.

• CVE-2024-39909, GHSA-5248-h45p-9pgw
• Affects: github.com/openclarity/kubeclarity/backend
• Published: Jul 12, 2024
• Modified: Aug 19, 2024
• Unreviewed

SQL Injection in the KubeClarity REST API in github.com/openclarity/kubeclarity/backend

• CVE-2022-29946, GHSA-2h2x-8hh2-mfq8
• Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, and 1 more
• Published: Jul 12, 2024
• Unreviewed

NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server

• CVE-2024-39897, GHSA-55r9-5mx9-qq7r
• Affects: zotregistry.dev/zot, zotregistry.io/zot
• Published: Jul 10, 2024
• Modified: Sep 06, 2024
• Unreviewed

Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: zotregistry.dev/zot before v2.1.0; zotregistry.io/zot before v2.1.0.

• GHSA-xr7q-jx4m-x55m
• Affects: google.golang.org/grpc
• Published: Jul 09, 2024

If applications print or log a context containing gRPC metadata, the output will contain all the metadata, which may include private information. This represents a potential PII concern.

• CVE-2024-6284, GHSA-qjvf-8748-9w7h
• Affects: github.com/google/nftables
• Published: Jul 09, 2024

IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which did not work as intended (might block or not block the desired addresses).

• CVE-2024-39696, GHSA-q6hg-6m9x-5g9c
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 17 more
• Published: Jul 09, 2024
• Modified: Jul 29, 2024
• Unreviewed

Evmos vulnerable to exploit of smart contract account and vesting in github.com/evmos/evmos

• CVE-2024-39321, GHSA-gxrv-wf35-62w9
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jul 09, 2024
• Unreviewed

Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik

• CVE-2024-39933, GHSA-8mm6-wmpp-mmm3
• Affects: github.com/gogs/gogs
• Published: Jul 09, 2024
• Modified: Aug 19, 2024
• Unreviewed

Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs

• CVE-2024-39932, GHSA-hf29-9hfh-w63j
• Affects: github.com/gogs/gogs
• Published: Jul 09, 2024
• Unreviewed

Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs

• CVE-2024-39931, GHSA-2vgj-3pvg-xh4w
• Affects: github.com/gogs/gogs
• Published: Jul 09, 2024
• Unreviewed

Gogs allows deletion of internal files in github.com/gogs/gogs

• CVE-2024-39930, GHSA-p69r-v3h4-rj4f
• Affects: github.com/gogs/gogs
• Published: Jul 09, 2024
• Modified: Jul 29, 2024
• Unreviewed

github.com/gogs/gogs affected by CVE-2024-39930

• CVE-2024-39683, GHSA-cvw9-c57h-3397
• Affects: github.com/zitadel/zitadel
• Published: Jul 09, 2024
• Unreviewed

ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.0.0 before v2.53.8, from v2.54.0 before v2.54.5, from v2.55.0 before v2.55.1.

• CVE-2024-39315, GHSA-rrqr-7w59-637v
• Affects: github.com/pomerium/pomerium
• Published: Jul 03, 2024
• Modified: Jul 29, 2024
• Unreviewed

Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

• CVE-2024-24791
• Affects: net/http
• Published: Jul 02, 2024

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

• CVE-2023-24531
• Affects: cmd/go
• Published: Jul 02, 2024

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

• CVE-2022-30636
• Affects: golang.org/x/crypto
• Published: Jul 02, 2024

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

• CVE-2024-38513, GHSA-98j2-3j3p-fw2v
• Affects: github.com/gofiber/fiber, github.com/gofiber/fiber/v2
• Published: Jul 02, 2024

Session Middleware Token Injection Vulnerability in github.com/gofiber/fiber

• CVE-2024-37298, GHSA-3669-72x9-r9p3
• Affects: github.com/gorilla/schema
• Published: Jul 02, 2024

Potential memory exhaustion attack due to sparse slice deserialization in github.com/gorilla/schema

• CVE-2019-25211, GHSA-869c-j7wc-8jqv
• Affects: github.com/gin-contrib/cors
• Published: Jul 02, 2024

Gin-Gonic CORS middleware mishandles a wildcard at the end of an origin string. Examples: https://example.community/* is accepted by the origin string https://example.com/* and https://localhost.example.com/* is accepted by the origin string https://localhost/* .

• GHSA-hg58-rf2h-6rr7
• Affects: github.com/cometbft/cometbft
• Published: Jul 02, 2024

A malicious peer can cause a syncing node to panic during blocksync. The syncing node may enter into a catastrophic invalid syncing state or get stuck in blocksync mode, never switching to consensus. Nodes that are vulnerable to this state may experience a Denial of Service condition in which syncing will not work as expected when joining a network as a client.

• CVE-2024-6257, GHSA-xfhp-jf8p-mh5w
• Affects: github.com/hashicorp/go-getter
• Published: Jun 28, 2024

A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

• CVE-2024-6104, GHSA-v6v8-xj6m-xwqh
• Affects: github.com/hashicorp/go-retryablehttp
• Published: Jun 25, 2024

URLs were not sanitized when writing them to log files. This could lead to writing sensitive HTTP basic auth credentials to the log file.

• CVE-2024-38359, GHSA-9gxx-58q6-42p7
• Affects: github.com/lightningnetwork/lnd
• Published: Jul 01, 2024
• Unreviewed

Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service in github.com/lightningnetwork/lnd

• GHSA-rvj4-q8q5-8grf
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 28, 2024
• Unreviewed

ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/traefik/traefik

• CVE-2024-37897, GHSA-hw5f-6wvv-xcrh
• Affects: github.com/drakkan/sftpgo, github.com/drakkan/sftpgo/v2
• Published: Jun 28, 2024
• Unreviewed

SFTPGo has insufficient access control for password reset in github.com/drakkan/sftpgo

• CVE-2024-38361, GHSA-grjv-gjgr-66g2
• Affects: github.com/authzed/spicedb
• Published: Jun 28, 2024
• Unreviewed

SpiceDB exclusions can result in no permission returned when permission expected in github.com/authzed/spicedb

• CVE-2024-5182, GHSA-cpcx-r2gq-x893
• Affects: github.com/go-skynet/LocalAI
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/go-skynet/LocalAI before v2.16.0.

• CVE-2024-24792, GHSA-9phm-fm57-rhg8
• Affects: golang.org/x/image
• Published: Jun 25, 2024
• Modified: Jun 26, 2024

Parsing a corrupt or malicious image with invalid color indices can cause a panic.

• CVE-2024-38351, GHSA-m93w-4fxv-r35v
• Affects: github.com/pocketbase/pocketbase
• Published: Jul 01, 2024

PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase

• CVE-2024-37904, GHSA-hpcg-xjq5-g666
• Affects: github.com/stacklok/minder
• Published: Jun 28, 2024
• Unreviewed

Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder

• CVE-2024-5899
• Affects: github.com/bazelbuild/intellij
• Published: Jun 28, 2024
• Unreviewed

Improper trust check in Bazel Build intellij plugin in github.com/bazelbuild/intellij

• CVE-2024-22032, GHSA-q6c7-56cq-g2wm
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

• CVE-2023-22650, GHSA-9ghh-mmcq-8phc
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

• CVE-2023-32191, GHSA-6gr4-52w6-vmqx
• Affects: github.com/rancher/rke
• Published: Jul 01, 2024

When RKE provisions a cluster, it stores the cluster state in a configmap called "full-cluster-state" inside the "kube-system" namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include sensitive data.

• CVE-2023-32196, GHSA-64jq-m7rq-768h
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

• CVE-2024-37896
• Affects: github.com/flipped-aurora/gin-vue-admin
• Published: Jun 28, 2024
• Unreviewed

SQL injection vulnerability in Gin-vue-admin in github.com/flipped-aurora/gin-vue-admin

• CVE-2024-37159
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 28, 2024
• Unreviewed

Evmos is missing create validator check in github.com/evmos/evmos

• CVE-2024-37158
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 28, 2024
• Unreviewed

Evmos is missing precompile checks in github.com/evmos/evmos

• CVE-2024-36586, GHSA-7jp9-vgmq-c8r5
• Affects: github.com/AdguardTeam/AdGuardHome
• Published: Jun 28, 2024
• Modified: Sep 06, 2024
• Unreviewed

AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

• GHSA-85rg-8m6h-825p
• Affects: github.com/k8sgpt-ai/k8sgpt
• Published: Jun 20, 2024
• Unreviewed

Vulnerabilities with the k8sGPT in github.com/k8sgpt-ai/k8sgpt

• CVE-2024-37307, GHSA-wh78-7948-358j
• Affects: github.com/cilium/cilium
• Published: Jun 20, 2024
• Unreviewed

Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium

• CVE-2024-5798, GHSA-32cj-5wx4-gq8p
• Affects: github.com/hashicorp/vault
• Published: Jul 01, 2024
• Modified: Jul 09, 2024
• Unreviewed

HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/vault before v1.15.9.

• CVE-2023-49559, GHSA-2hmf-46v7-v6fx
• Affects: github.com/vektah/gqlparser, github.com/vektah/gqlparser/v2
• Published: Jul 01, 2024

An issue in vektah gqlparser open-source-library allows a remote attacker to cause a denial of service via a crafted script to the parseDirectives function.

• CVE-2024-5154, GHSA-j9hf-98c3-wrm8
• Affects: github.com/cri-o/cri-o
• Published: Jun 14, 2024
• Modified: Aug 19, 2024
• Unreviewed

malicious container creates symlink "mtab" on the host External in github.com/cri-o/cri-o

• CVE-2024-35255, GHSA-m5vv-6r4h-3vj9
• Affects: github.com/Azure/azure-sdk-for-go/sdk/azidentity
• Published: Jul 01, 2024

Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity

• GHSA-7jmw-8259-q9jx
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 14, 2024
• Unreviewed

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses in github.com/traefik/traefik

• CVE-2024-22261, GHSA-vw63-824v-qf2j
• Affects: github.com/goharbor/harbor
• Published: Jun 14, 2024
• Unreviewed

SQL Injection in Harbor scan log API in github.com/goharbor/harbor

• CVE-2024-22244, GHSA-5757-v49g-f6r7
• Affects: github.com/goharbor/harbor
• Published: Jun 14, 2024
• Unreviewed

Open Redirect URL in Harbor in github.com/goharbor/harbor

• GHSA-xmmx-7jpf-fx42
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 14, 2024
• Modified: Jul 01, 2024

Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker

• CVE-2021-41089, GHSA-v994-f8vw-g7j4
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 14, 2024
• Modified: Jul 01, 2024

Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker

• CVE-2021-41092, GHSA-99pg-grm5-qq3v
• Affects: github.com/docker/cli
• Published: Jul 01, 2024
• Modified: Jul 19, 2024

Docker CLI leaks private registry credentials to registry-1.docker.io in github.com/docker/cli

• GHSA-87m9-rv8p-rgmg
• Affects: github.com/mostynb/go-grpc-compression
• Published: Jun 14, 2024
• Unreviewed

go-grpc-compression has a zstd decompression bombing vulnerability in github.com/mostynb/go-grpc-compression

• CVE-2024-5262, GHSA-q5mg-pc7r-r8cr
• Affects: github.com/projectdiscovery/interactsh
• Published: Jun 14, 2024
• Unreviewed

Files or Directories Accessible to External Parties in ProjectDiscovery in github.com/projectdiscovery/interactsh

• CVE-2024-5138
• Affects: github.com/snapcore/snapd
• Published: Jun 14, 2024
• Unreviewed

CVE-2024-5138 in github.com/snapcore/snapd

• CVE-2024-5037
• Affects: github.com/openshift/telemeter
• Published: Jun 28, 2024
• Modified: Aug 19, 2024
• Unreviewed

Openshift/telemeter: iss check during jwt authentication can be bypassed in github.com/openshift/telemeter

• CVE-2024-37154, GHSA-7hrh-v6wp-53vw
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 14, 2024
• Modified: Jun 28, 2024
• Unreviewed

Evmos allows unvested token delegations in github.com/evmos/evmos

• CVE-2024-37153, GHSA-xgr7-jgq3-mhmc
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 14, 2024
• Modified: Jun 28, 2024
• Unreviewed

Contract balance not updating correctly after interchain transaction in github.com/evmos/evmos

• CVE-2024-37152, GHSA-87p9-x75h-p4j2
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 14, 2024
• Modified: Jun 28, 2024
• Unreviewed

Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd

• CVE-2024-37032, GHSA-8hqg-whrw-pv92
• Affects: github.com/ollama/ollama
• Published: Jun 14, 2024
• Modified: Aug 19, 2024
• Unreviewed

Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama

• CVE-2024-36129, GHSA-c74f-6mfw-mm4v
• Affects: go.opentelemetry.io/collector/config/configgrpc, go.opentelemetry.io/collector/config/confighttp
• Published: Jun 14, 2024
• Modified: Jul 19, 2024

An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption.

• CVE-2024-36127, GHSA-v6mg-7f7p-qmqp
• Affects: chainguard.dev/apko
• Published: Jun 14, 2024
• Unreviewed

apko Exposure of HTTP basic auth credentials in log output in chainguard.dev/apko

• CVE-2024-36106, GHSA-3cqf-953p-h5cp
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 28, 2024
• Unreviewed

Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

• CVE-2024-32873, GHSA-pxv8-qhrh-jc7v
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 14, 2024
• Modified: Aug 19, 2024
• Unreviewed

evmos allows transferring unvested tokens after delegations in github.com/evmos/evmos

• CVE-2024-24789
• Affects: archive/zip
• Published: Jun 04, 2024

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

• CVE-2024-24790
• Affects: net/netip
• Published: Jun 04, 2024

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

• CVE-2024-36107, GHSA-95fr-cm4m-q5p9
• Affects: github.com/minio/minio
• Published: Jun 05, 2024
• Unreviewed

MinIO information disclosure vulnerability in github.com/minio/minio

• CVE-2024-35238, GHSA-8fmj-33gw-g7pw
• Affects: github.com/stacklok/minder
• Published: Jun 05, 2024
• Unreviewed

Denial of service of Minder Server from maliciously crafted GitHub attestations in github.com/stacklok/minder

• GHSA-mh55-gqvf-xfwm
• Affects: github.com/rs/cors
• Published: Jul 02, 2024
• Modified: Jul 09, 2024

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

• CVE-2024-35232, GHSA-3f65-m234-9mxr
• Affects: github.com/huandu/facebook, github.com/huandu/facebook/v2
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

github.com/huandu/facebook may expose access_token in error message.

• GHSA-f7cq-5v43-8pwp
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 05, 2024
• Unreviewed

Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop in github.com/traefik/traefik

• CVE-2024-35223, GHSA-284c-x8m7-9w5h
• Affects: github.com/dapr/dapr
• Published: May 24, 2024
• Unreviewed

Dapr API Token Exposure in github.com/dapr/dapr

• CVE-2024-31989, GHSA-9766-5277-j5hr
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 05, 2024
• Unreviewed

ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

• CVE-2024-34710
• Affects: github.com/requarks/wiki
• Published: Jun 05, 2024
• Unreviewed

Wiki.js Stored XSS through Client Side Template Injection in github.com/requarks/wiki

• GHSA-qjcv-rx3v-7mvj
• Affects: github.com/cosmos/ibc-go, github.com/cosmos/ibc-go/v2, and 5 more
• Published: May 23, 2024

The ibc-go module is affected by the Inter-Blockchain Communication (IBC) protocol "Huckleberry" vulnerability. The vulnerability allowed an attacker to send arbitrary transactions onto target chains and trigger arbitrary state transitions, including but not limited to, theft of funds. It was possible to exploit this vulnerability in specific situations involving relaying packets in which the source chain is also the final destination chain. Affected networks are those that allow for fee grant capabilities and use a native Relayer (e.g., Osmosis and Juno).

• GHSA-2j6r-9vv4-6gf5
• Affects: github.com/bincyber/go-sqlcrypter
• Published: Jun 05, 2024
• Unreviewed

github.com/bincyber/go-sqlcrypter vulnerable to IV collision

• CVE-2024-35194, GHSA-crgc-2583-rw27
• Affects: github.com/stacklok/minder
• Published: Jun 05, 2024
• Unreviewed

Stacklok Minder vulnerable to denial of service from maliciously crafted templates in github.com/stacklok/minder

• CVE-2024-35192, GHSA-xcq4-m2r3-cmrj
• Affects: github.com/aquasecurity/trivy
• Published: May 22, 2024

A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.

• CVE-2022-39324, GHSA-4724-7jwc-3fpw
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.16, from v9.0.0 before v9.2.8.

• CVE-2024-5042, GHSA-2rhx-qhxp-5jpw
• Affects: github.com/submariner-io/submariner-operator
• Published: Jun 05, 2024
• Modified: Aug 19, 2024
• Unreviewed

Submariner Operator sets unnecessary RBAC permissions in helm charts in github.com/submariner-io/submariner-operator

• CVE-2023-40297, GHSA-x8xm-wrjq-5g54
• Affects: github.com/stakater/Forecastle
• Published: Jun 05, 2024
• Unreviewed

Stakater Forecastle has a directory traversal vulnerability in github.com/stakater/Forecastle

• CVE-2024-35185, GHSA-fjw8-3gp8-4cvx
• Affects: github.com/stacklok/minder
• Published: May 20, 2024
• Unreviewed

Denial of service of Minder Server with attacker-controlled REST endpoint in github.com/stacklok/minder

• CVE-2024-35183, GHSA-8fg7-hp93-qhvr
• Affects: github.com/wolfi-dev/wolfictl
• Published: Jun 04, 2024
• Unreviewed

wolfictl leaks GitHub tokens to remote non-GitHub git servers in github.com/wolfi-dev/wolfictl

• CVE-2024-3744, GHSA-qjqg-4wg7-957h
• Affects: sigs.k8s.io/azurefile-csi-driver
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

azure-file-csi-driver leaks service account tokens in the logs in sigs.k8s.io/azurefile-csi-driver

• GHSA-f6mm-5fc7-3g3c
• Affects: github.com/goreleaser/goreleaser
• Published: Jun 04, 2024
• Unreviewed

goreleaser shows environment by default in github.com/goreleaser/goreleaser

• CVE-2024-31216, GHSA-v554-xwgw-hc3w
• Affects: github.com/fluxcd/source-controller
• Published: Jun 04, 2024
• Unreviewed

source-controller leaks Azure Storage SAS token into logs in github.com/fluxcd/source-controller

• CVE-2022-39201, GHSA-x744-mm8v-vpgr
• Affects: github.com/grafana/grafana
• Published: Jun 10, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.14, from v9.0.0 before v9.1.8.

• CVE-2022-31097, GHSA-vw7q-p2qg-4m5f
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.0.0 before v8.3.10, from v8.4.0 before v8.4.10, from v8.5.0 before v8.5.9, from v9.0.0 before v9.0.3.

• CVE-2022-39328, GHSA-vqc4-mpj8-jxch
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Race condition allowing privilege escalation in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v9.2.0 before v9.2.4.

• CVE-2022-31123, GHSA-rhxj-gh46-jvw8
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Plugin signature bypass in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v7.0.0 before v8.5.14, from v9.0.0 before v9.1.8.

• CVE-2022-36062, GHSA-p978-56hq-r492
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana folders admin only permission privilege escalation in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.5.0 before v8.5.13, from v9.0.0 before v9.0.9, from v9.1.0 before v9.1.6.

• CVE-2024-35175, GHSA-4w53-6jvp-gg52
• Affects: github.com/tg123/sshpiper
• Published: Jun 04, 2024
• Unreviewed

sshpiper's enabling of proxy protocol without proper feature flagging allows faking source address in github.com/tg123/sshpiper

• CVE-2022-31107, GHSA-mx47-6497-3fv2
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v5.3.0 before v8.3.10, from v8.4.0 before v8.4.10, from v8.5.0 before v8.5.9, from v9.0.0 before v9.0.3.

• CVE-2022-31130, GHSA-jv32-5578-pxjc
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v7.0.0 before v8.5.14, from v9.0.0 before v9.1.8.

• CVE-2021-32026, GHSA-jj54-5q2m-q7pj
• Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server

• CVE-2020-26312, GHSA-hf54-fq2m-p9v6
• Affects: github.com/dotmesh-io/dotmesh
• Published: Jun 05, 2024
• Unreviewed

dotmesh arbitrary file read and/or write in github.com/dotmesh-io/dotmesh

• CVE-2022-39229, GHSA-gj7m-853r-289r
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.14, from v9.0.0 before v9.1.8.

• CVE-2022-35957, GHSA-ff5c-938w-8c9q
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.13, from v9.0.0 before v9.0.9, from v9.1.0 before v9.1.6.

• GHSA-c9cp-9c75-9v8c
• Affects: github.com/containerd/containerd
• Published: Jun 04, 2024
• Modified: Jul 01, 2024

Containers started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd

• CVE-2022-39307, GHSA-3p62-42x7-gxg5
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana User enumeration via forget password in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.15, from v9.0.0 before v9.2.4.

• CVE-2022-39306, GHSA-2x6g-h2hg-rq84
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.0.0 before v8.5.15, from v9.0.0 before v9.2.4.

• CVE-2024-3727, GHSA-6wvf-f2vw-3425
• Affects: github.com/containers/image/v5
• Published: May 20, 2024

An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

• CVE-2024-34713, GHSA-jmqp-37m5-49wh
• Affects: github.com/cea-hpc/sshproxy
• Published: Jun 04, 2024
• Unreviewed

sshproxy vulnerable to SSH option injection in github.com/cea-hpc/sshproxy

• CVE-2024-34079, GHSA-75r6-6jg8-pfcq
• Affects: github.com/octo-sts/app
• Published: May 13, 2024
• Modified: Jul 02, 2024

Excessively large requests can be processed, consuming a large amount of resources. This could potentially lead to a denial of service.

• CVE-2024-34360, GHSA-jcqq-g64v-gcm7
• Affects: github.com/spacemeshos/api/release/go, github.com/spacemeshos/go-spacemesh
• Published: May 14, 2024
• Modified: May 20, 2024

Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule.

• CVE-2024-34352, GHSA-f8ch-w75v-c847
• Affects: github.com/1Panel-dev/1Panel
• Published: May 14, 2024
• Modified: May 20, 2024

A maliciously crafted packet can write to an arbitrary file.

• CVE-2024-32886, GHSA-649x-hxfx-57j2
• Affects: vitess.io/vitess
• Published: May 10, 2024
• Modified: Jul 09, 2024

When executing a query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will OOM. This causes a denial of service.

• CVE-2024-24787
• Affects: cmd/go
• Published: May 08, 2024
• Modified: May 20, 2024

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

• CVE-2024-24788
• Affects: net
• Published: May 07, 2024
• Modified: May 20, 2024

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

• CVE-2024-30850, CVE-2024-33434, and 2 more
• Affects: github.com/tiagorlampert/CHAOS
• Published: May 09, 2024
• Modified: May 20, 2024

A remote attacker can execute arbitrary commands via crafted HTTP requests.

• CVE-2024-34084, GHSA-9c5w-9q3f-3hv7
• Affects: github.com/stacklok/minder
• Published: May 10, 2024
• Modified: May 20, 2024

HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. An untrusted request can cause the server to allocate large amounts of memory resulting in a denial of service.

• CVE-2024-32972, GHSA-4xc9-8hmq-j652
• Affects: github.com/ethereum/go-ethereum
• Published: May 08, 2024
• Modified: May 20, 2024

A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. This can result in a denial of service as the node runs out of memory.

• CVE-2024-34478, GHSA-3jgf-r68h-xfqm
• Affects: github.com/btcsuite/btcd
• Published: May 08, 2024
• Modified: May 20, 2024

Incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112 making btcd susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.

• CVE-2024-33396, GHSA-wccg-v638-j9q2
• Affects: github.com/karmada-io/karmada
• Published: Jun 05, 2024
• Unreviewed

karmada vulnerable to arbitrary code execution via a crafted command in github.com/karmada-io/karmada

• CVE-2024-33394, GHSA-4q63-mr2m-57hf
• Affects: kubevirt.io/kubevirt
• Published: Jun 05, 2024
• Unreviewed

kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt

• CVE-2024-34068, GHSA-qq22-jj8x-4wwv
• Affects: github.com/pterodactyl/wings
• Published: Jun 10, 2024
• Modified: Aug 19, 2024
• Unreviewed

Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull in github.com/pterodactyl/wings

• CVE-2024-34066, GHSA-gqmf-jqgv-v8fw
• Affects: github.com/pterodactyl/wings
• Published: Jun 04, 2024
• Unreviewed

Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings

• GHSA-vhxv-fg4m-p2w8
• Affects: github.com/jub0bs/cors
• Published: May 21, 2024

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns "https://foo.com" and "https://bar.com" (in that order) would yield a middleware that would incorrectly allow untrusted origin "https://barfoo.com".

• GHSA-v84h-653v-4pq9
• Affects: github.com/jub0bs/fcors
• Published: May 21, 2024

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns "https://foo.com" and "https://bar.com" (in that order) would yield a middleware that would incorrectly allow untrusted origin "https://barfoo.com".

• CVE-2024-33398, GHSA-6fg2-hvj9-832f
• Affects: github.com/piraeusdatastore/piraeus-operator, github.com/piraeusdatastore/piraeus-operator/v2
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

piraeus-operator allows attacker to impersonate service account in github.com/piraeusdatastore/piraeus-operator

• CVE-2024-32359
• Affects: github.com/carina-io/carina
• Published: Jun 05, 2024
• Unreviewed

CVE-2024-32359 in github.com/carina-io/carina

• CVE-2024-4128
• Affects: github.com/firebase/firebase-tools
• Published: Jun 05, 2024
• Unreviewed

CSRF in firebase-tools emulator suite in github.com/firebase/firebase-tools

• CVE-2024-32967, GHSA-q5qj-x2h5-3945
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.45.7, from v2.47.0 before v2.47.10, from v2.48.0 before v2.48.5, from v2.49.0 before v2.49.5, from v2.50.0 before v2.50.3.

• CVE-2024-32963, GHSA-4jrx-5w4h-3gpm
• Affects: github.com/navidrome/navidrome
• Published: Jun 04, 2024
• Unreviewed

Navidrome Parameter Tampering vulnerability in github.com/navidrome/navidrome

• CVE-2024-33522, GHSA-6362-gv4m-53ww
• Affects: github.com/projectcalico/calico, github.com/projectcalico/calico/v3
• Published: Jun 10, 2024
• Modified: Aug 19, 2024
• Unreviewed

Calico privilege escalation vulnerability in github.com/projectcalico/calico. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/projectcalico/calico/v3 before v3.26.5, from v3.27.0 before v3.27.3.

• CVE-2024-3817, GHSA-q64h-39hv-4cf7
• Affects: github.com/hashicorp/go-getter
• Published: May 10, 2024
• Modified: May 20, 2024

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on. An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

• CVE-2024-32883
• Affects: github.com/mcu-tools/mcuboot
• Published: Jun 05, 2024
• Unreviewed

MCUboot Injection attack of unprotected TLV values in github.com/mcu-tools/mcuboot

• CVE-2024-4183, GHSA-wj37-mpq9-xrcm
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server

• CVE-2024-32046, GHSA-vx97-8q8q-qgq5
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server

• CVE-2024-22091, GHSA-p2wq-4ggp-45f3
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server

• CVE-2024-4182, GHSA-8f99-g2pj-x8w3
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server

• CVE-2024-4198, GHSA-5qx9-9ffj-5r8f
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server

• CVE-2024-4195, GHSA-5fh7-7mw7-mmx5
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server

• CVE-2024-32476, GHSA-9m6p-x4h2-6frq
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

• CVE-2024-3154, GHSA-2cgq-h8xw-2v5j
• Affects: github.com/cri-o/cri-o
• Published: Jun 04, 2024
• Unreviewed

CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o

• CVE-2024-1139, GHSA-x5m7-63c6-fx79
• Affects: github.com/openshift/cluster-monitoring-operator
• Published: Jun 05, 2024
• Unreviewed

Cluster Monitoring Operator contains a credentials leak in github.com/openshift/cluster-monitoring-operator

• CVE-2024-32868, GHSA-7j7j-66cv-m239
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.50.0.

• CVE-2024-0874, GHSA-m9w6-wp3h-vq8g
• Affects: github.com/coredns/coredns
• Published: Jun 04, 2024
• Modified: Jul 01, 2024

A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.

• CVE-2019-11202, GHSA-xh8x-j8h3-m5ph
• Affects: github.com/rancher/rancher
• Published: Jun 10, 2024
• Modified: Aug 21, 2024
• Unreviewed

Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher

• CVE-2022-3800, GHSA-rwcf-gq22-ph83
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2019-11245, GHSA-r76g-g87f-vw8f
• Affects: k8s.io/kubernetes
• Published: Jun 10, 2024
• Unreviewed

Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes

• CVE-2020-10937, GHSA-r23h-3jmw-q7hr
• Affects: github.com/ipfs/go-ipfs
• Published: Jun 04, 2024
• Unreviewed

Access Restriction Bypass in go-ipfs in github.com/ipfs/go-ipfs

• CVE-2021-31999, GHSA-pvxj-25m6-7vqr
• Affects: github.com/rancher/rancher
• Published: Jun 10, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.16, from v2.5.0 before v2.5.9.

• CVE-2022-3798, GHSA-mgqh-3qm7-gx82
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2021-43350, GHSA-mg2c-rc36-p594
• Affects: github.com/apache/trafficcontrol
• Published: Jun 10, 2024
• Unreviewed

Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol

• CVE-2022-3801, GHSA-m738-584h-26p6
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2021-36776, GHSA-gvh9-xgrq-r8hw
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.5.0 before v2.5.10.

• CVE-2022-3802, GHSA-g23g-mw97-65c8
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2022-38183, GHSA-fhv8-m4j4-cww2
• Affects: code.gitea.io/gitea
• Published: Jun 10, 2024
• Modified: Aug 19, 2024
• Unreviewed

Gitea allowed assignment of private issues in code.gitea.io/gitea

• CVE-2021-25318, GHSA-f9xf-jq4j-vqw4
• Affects: github.com/rancher/rancher
• Published: Jun 10, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.16, from v2.5.0 before v2.5.9.

• CVE-2020-14370, GHSA-c3wv-qmjj-45r6
• Affects: github.com/containers/libpod, github.com/containers/libpod/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Information disclosure in podman in github.com/containers/libpod

• CVE-2020-1701, GHSA-849r-8wvp-4wwg
• Affects: kubevirt.io/kubevirt
• Published: Jun 04, 2024
• Unreviewed

Permissions bypass in KubeVirt in kubevirt.io/kubevirt

• CVE-2019-6287, GHSA-6r7x-4q7g-h83j
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Unreviewed

Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher

• CVE-2017-15103, GHSA-6g56-v9qg-jp92
• Affects: github.com/heketi/heketi
• Published: Jun 04, 2024
• Unreviewed

Heketi Arbitrary Code Execution in github.com/heketi/heketi

• CVE-2019-12303, GHSA-53pj-67m4-9w98
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Unreviewed

Rancher code injection via fluentd config commands in github.com/rancher/rancher

• CVE-2019-11881, GHSA-2p4g-jrmx-r34m
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Unreviewed

Rancher Login Parameter Can Be Edited in github.com/rancher/rancher

• CVE-2021-36775, GHSA-28g7-896h-695v
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.18, from v2.5.0 before v2.5.12, from v2.6.0 before v2.6.3.

• CVE-2022-3799, GHSA-fcgf-j8cf-h2rm
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2021-3382, GHSA-9f8c-pfvv-p4gm
• Affects: code.gitea.io/gitea
• Published: Jun 04, 2024
• Unreviewed

Buffer Overflow in gitea in code.gitea.io/gitea

• CVE-2020-14316, GHSA-828r-r2c8-rfw3
• Affects: kubevirt.io/kubevirt
• Published: Jun 04, 2024
• Unreviewed

Privilege Escalation in kubevirt in kubevirt.io/kubevirt

• CVE-2020-8563, GHSA-5xfg-wv98-264m
• Affects: k8s.io/kubernetes
• Published: Jun 05, 2024
• Unreviewed

Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes

• CVE-2020-8566, GHSA-5x96-j797-5qqw
• Affects: k8s.io/kubernetes
• Published: Jun 04, 2024
• Unreviewed

Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes

• CVE-2020-8557, GHSA-55qj-gj3x-jq9r
• Affects: k8s.io/kubernetes
• Published: Jun 10, 2024
• Unreviewed

Denial of service in Kubernetes in k8s.io/kubernetes

• CVE-2022-1058, GHSA-4rqq-rxvc-v2rc
• Affects: code.gitea.io/gitea
• Published: Jun 04, 2024
• Unreviewed

Gitea Open Redirect in code.gitea.io/gitea

• CVE-2020-8567, GHSA-2v35-wj4r-rcmv
• Affects: github.com/Azure/secrets-store-csi-driver-provider-azure, github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp, and 1 more
• Published: Jun 05, 2024
• Modified: Sep 06, 2024
• Unreviewed

Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/Azure/secrets-store-csi-driver-provider-azure before v0.0.10; github.com/hashicorp/vault-csi-provider before v0.0.6.

• CVE-2020-8559, GHSA-33c5-9fx5-fvjm
• Affects: k8s.io/apimachinery, k8s.io/kubernetes
• Published: May 20, 2024

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

• CVE-2024-32875, GHSA-ppf8-hhpp-f5hj
• Affects: github.com/gohugoio/hugo
• Published: Jun 04, 2024
• Modified: Jul 19, 2024

Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo

• CVE-2024-3177, GHSA-pxhw-596r-rwq5
• Affects: k8s.io/kubernetes
• Published: Jun 04, 2024
• Modified: Jul 01, 2024

Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin in k8s.io/kubernetes

• GHSA-x883-2vmg-xwf7
• Affects: github.com/authelia/authelia/v4
• Published: Apr 26, 2024
• Modified: May 20, 2024

If the file authentication backend is being used, the ewatch option is set to true, the refresh interval is configured to a non-disabled value, and an administrator changes a user's groups, then that user may be able to access resources that their previous groups had access to.

• CVE-2024-29217, GHSA-cvqr-mwh6-2vc6
• Affects: github.com/apache/incubator-answer
• Published: Apr 26, 2024
• Modified: May 20, 2024

XSS vulnerability via personal website in github.com/apache/incubator-answer

• CVE-2024-31450, GHSA-9355-27m8-h74v
• Affects: github.com/owncast/owncast
• Published: Jun 04, 2024
• Modified: Aug 19, 2024
• Unreviewed

Owncast Path Traversal vulnerability in github.com/owncast/owncast

• CVE-2024-32473, GHSA-x84c-p2g9-rqv9
• Affects: github.com/docker/docker
• Published: Jun 05, 2024
• Unreviewed

IPv6 enabled on IPv4-only network interfaces in github.com/docker/docker

• CVE-2024-30257, GHSA-6m9h-2pr2-9j8f
• Affects: github.com/1Panel-dev/1Panel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

1Panel's password verification is suspected to have a timing attack vulnerability in github.com/1Panel-dev/1Panel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.3.

• GHSA-v6rw-hhgg-wc4x
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 10 more
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

Evmos vulnerable to DOS and transaction fee expropriation through Authz exploit in github.com/evmos/evmos

• GHSA-m99c-q26r-m7m7
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 11 more
• Published: Jun 10, 2024
• Modified: Jun 28, 2024
• Unreviewed

Evmos vulnerable to unauthorized account creation with vesting module in github.com/evmos/evmos

• Affects: github.com/gorilla/sessions
• Published: Apr 17, 2024
• Modified: May 20, 2024
• Withdrawn: Apr 17, 2024

(withdrawn)

• CVE-2024-31452, GHSA-8cph-m685-6v6r
• Affects: github.com/openfga/openfga
• Published: Jun 04, 2024
• Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

• CVE-2024-31990, GHSA-2gvw-w6fj-7m3c
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd

• GHSA-g8fc-vrcg-8vjg
• Affects: github.com/edgelesssys/constellation, github.com/edgelesssys/constellation/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

• GHSA-7f4j-64p6-5h5v
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

Traefik affected by HTTP/2 CONTINUATION flood in net/http in github.com/traefik/traefik

• CVE-2024-31391, GHSA-g9qx-25vj-rf53
• Affects: github.com/apache/solr-operator
• Published: Jun 04, 2024
• Unreviewed

Apache Solr Operator liveness and readiness probes may leak basic auth credentials in github.com/apache/solr-operator

• CVE-2024-28869, GHSA-4vwx-54mw-vqfw
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 05, 2024
• Unreviewed

Traefik vulnerable to denial of service with Content-length header in github.com/traefik/traefik

• CVE-2024-31839, GHSA-c5rv-hjjc-jv7m
• Affects: github.com/tiagorlampert/CHAOS
• Published: May 09, 2024
• Modified: May 20, 2024

A malicious actor may be able to extract a JWT token via malicious "/command" request. This is a form of cross site scripting (XSS).

• CVE-2024-29903, GHSA-95pr-fxf5-86gv
• Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
• Published: Jun 05, 2024
• Unreviewed

Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign

• CVE-2024-29902, GHSA-88jx-383q-w4qc
• Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
• Published: Jun 05, 2024
• Unreviewed

Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign

• CVE-2024-2029, GHSA-wx43-g55g-2jf4
• Affects: github.com/go-skynet/LocalAI
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/go-skynet/LocalAI before v2.10.0.

• CVE-2024-32001, GHSA-j85q-46hg-36p2
• Affects: github.com/authzed/spicedb
• Published: Jun 04, 2024
• Unreviewed

SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used in github.com/authzed/spicedb

• CVE-2024-32644, GHSA-3fp5-2xwh-fxm6
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 20 more
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

Evmos transaction execution not accounting for all state transition after interaction with precompiles in github.com/evmos/evmos

• CVE-2024-21848, GHSA-xp9j-8p68-9q93
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.11.

• CVE-2024-29221, GHSA-w67v-ph4x-f48q
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

• CVE-2024-3135, GHSA-jhvf-7c85-3c9g
• Affects: github.com/go-skynet/LocalAI
• Published: Jun 05, 2024
• Unreviewed

LocalAI cross-site request forgery vulnerability in github.com/go-skynet/LocalAI

• CVE-2023-3518, GHSA-9rhf-q362-77mx
• Affects: github.com/hashicorp/consul
• Published: Jun 04, 2024
• Unreviewed

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul

• GHSA-j5vm-7qcc-2wwg
• Affects: github.com/kopia/kopia
• Published: Jun 04, 2024
• Unreviewed

Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output in github.com/kopia/kopia

• CVE-2024-31457, GHSA-gv3w-m57p-3wc4
• Affects: github.com/flipped-aurora/gin-vue-admin/server
• Published: May 20, 2024

Gin-vue-admin has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter.

• CVE-2024-31455, GHSA-ggp5-28x4-xcj9
• Affects: github.com/stacklok/minder
• Published: Jun 04, 2024
• Unreviewed

Minder GetRepositoryByName data leak in github.com/stacklok/minder

• CVE-2024-28224, GHSA-5jx5-hqx5-2vrj
• Affects: github.com/jmorganca/ollama
• Published: Jun 10, 2024
• Unreviewed

Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama

• CVE-2024-0406, GHSA-rhh4-rh7c-7r5v
• Affects: github.com/mholt/archiver, github.com/mholt/archiver/v3
• Published: Jun 05, 2024
• Modified: Jul 01, 2024

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.

• CVE-2024-1313, GHSA-67rv-qpw2-6qrr
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v9.5.0 before v9.5.18, from v10.0.0 before v10.0.13, from v10.1.0 before v10.1.9, from v10.2.0 before v10.2.6, from v10.3.0 before v10.3.5.

• CVE-2024-2447, GHSA-wp43-vprh-c3w5
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

• CVE-2024-28949, GHSA-mcw6-3256-64gg
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

• GHSA-j496-crgh-34mx
• Affects: github.com/cosmos/ibc-go, github.com/cosmos/ibc-go/v2, and 6 more
• Published: May 20, 2024

Potential Reentrancy using Timeout Callbacks in ibc-hooks in github.com/cosmos/ibc-go

• CVE-2024-3250, GHSA-4685-2x5r-65pj
• Affects: github.com/canonical/pebble
• Published: Jun 04, 2024
• Unreviewed

Pebble service manager's file pull API allows access by any user in github.com/canonical/pebble

• CVE-2024-2660, GHSA-j2rp-gmqv-frhv
• Affects: github.com/hashicorp/vault
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault

• CVE-2024-2689, GHSA-wmxc-v39r-p9wf
• Affects: go.temporal.io/server
• Published: Jun 04, 2024
• Unreviewed

Temporal Server Denial of Service in go.temporal.io/server

• CVE-2024-31420, GHSA-vjhf-6xfr-5p9g
• Affects: kubevirt.io/kubevirt
• Published: Jun 05, 2024
• Unreviewed

KubeVirt NULL pointer dereference flaw in kubevirt.io/kubevirt

• CVE-2023-45288, GHSA-4v7x-pqxf-cx7m
• Affects: net/http, golang.org/x/net
• Published: Apr 03, 2024
• Modified: May 20, 2024

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

• CVE-2024-22780, GHSA-hwvw-gh23-qpvq
• Affects: github.com/ca17/teamsacs
• Published: Jun 10, 2024
• Unreviewed

CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs

• CVE-2021-41803, GHSA-hr3v-8cp3-68rf
• Affects: github.com/hashicorp/consul
• Published: Apr 05, 2024
• Modified: May 20, 2024

HashiCorp Consul does not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.

• CVE-2024-22189, GHSA-c33x-xqrf-c478
• Affects: github.com/quic-go/quic-go
• Published: Apr 05, 2024
• Modified: May 20, 2024

An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

• CVE-2024-2435, GHSA-8f25-w7qj-r7hc
• Affects: github.com/temporalio/ui-server, github.com/temporalio/ui-server/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Temporal UI Server cross-site scripting vulnerability in github.com/temporalio/ui-server

• CVE-2023-3300, GHSA-v5fm-hr72-27hx
• Affects: github.com/hashicorp/nomad
• Published: Apr 04, 2024
• Modified: May 20, 2024

A vulnerability was identified in Nomad such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability affects Nomad since 0.11.0 and was fixed in 1.4.11 and 1.5.7.

• CVE-2023-3072, GHSA-rpvr-38xv-xvxq
• Affects: github.com/hashicorp/nomad
• Published: Apr 04, 2024
• Modified: May 20, 2024

An ACL policy using a block without label can be applied to unexpected resources in Nomad, a distributed, highly available scheduler designed for effortless operations and management of applications.

• CVE-2023-3299, GHSA-9jfx-84v9-2rr2
• Affects: github.com/hashicorp/nomad
• Published: Apr 04, 2024
• Modified: May 20, 2024

A vulnerability exists in Nomad where the API caller's ACL token secret ID is exposed to Sentinel policies.

• CVE-2024-28232, GHSA-hcw2-2r9c-gc6p
• Affects: github.com/IceWhaleTech/CasaOS-UserService
• Published: Apr 02, 2024
• Modified: May 20, 2024

The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.

• CVE-2024-29893, GHSA-jhwx-mhww-rgc3
• Affects: github.com/argoproj/argo-cd/v2
• Published: Apr 16, 2024
• Modified: May 20, 2024

Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2

• CVE-2024-28860, GHSA-pwqm-x5x6-5586
• Affects: github.com/cilium/cilium
• Published: Apr 16, 2024
• Modified: May 20, 2024

Insecure IPsec transparent encryption in github.com/cilium/cilium

• CVE-2024-29891, GHSA-hr5w-cwwq-2v4m
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.42.17, from v2.43.0 before v2.43.11, from v2.44.0 before v2.44.7, from v2.45.0 before v2.45.5, from v2.46.0 before v2.46.5, from v2.47.0 before v2.47.8, from v2.48.0 before v2.48.3.

• CVE-2024-29892, GHSA-gp8g-f42f-95q2
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.42.17, from v2.43.0 before v2.43.11, from v2.44.0 before v2.44.7, from v2.45.0 before v2.45.5, from v2.46.0 before v2.46.5, from v2.47.0 before v2.47.8, from v2.48.0 before v2.48.3.

• CVE-2019-19499, GHSA-4pwp-cx67-5cpx
• Affects: github.com/grafana/grafana
• Published: Mar 28, 2024
• Modified: Jul 09, 2024

An authenticated attacker that has privileges to modify the data source configurations can read arbitrary files.

• CVE-2024-1394, GHSA-78hx-gp6g-7mj6
• Affects: github.com/golang-fips/openssl/v2, github.com/microsoft/go-crypto-openssl
• Published: Mar 27, 2024
• Modified: May 20, 2024

Using crafted public RSA keys can cause a small memory leak when encrypting and verifying payloads. This can be gradually leveraged into a denial of service attack.

• CVE-2024-29018, GHSA-mq39-4gv4-mvpx
• Affects: github.com/docker/docker
• Published: Mar 22, 2024
• Modified: May 20, 2024

dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.

• CVE-2024-1753, GHSA-pmf3-c36m-g5cf
• Affects: github.com/containers/buildah
• Published: Mar 22, 2024
• Modified: May 20, 2024

A crafted container file can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem.

• CVE-2024-28250, GHSA-v6q2-4qr3-5cw6
• Affects: github.com/cilium/cilium
• Published: Mar 22, 2024
• Modified: May 20, 2024

In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes, and traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.

• CVE-2024-28249, GHSA-j89h-qrvr-xc36
• Affects: github.com/cilium/cilium
• Published: Mar 22, 2024
• Modified: May 20, 2024

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted, and traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted.

• CVE-2024-28855, GHSA-hfrg-4jwr-jfpj
• Affects: github.com/zitadel/zitadel
• Published: Mar 27, 2024
• Modified: Jul 09, 2024

The Login UI did not sanitize input parameters. An attacker could create a malicious link, where injected code would be rendered as part of the login screen.

• CVE-2024-21661, GHSA-6v85-wr92-q4p7
• Affects: github.com/argoproj/argo-cd/v2
• Published: Mar 22, 2024
• Modified: May 20, 2024

Application may crash due to concurrent writes, leading to a denial of service. An attacker can crash the application continuously, making it impossible for legitimate users to access the service. Authentication is not required in the attack.

• CVE-2024-28248, GHSA-68mj-9pjq-mc85
• Affects: github.com/cilium/cilium
• Published: Mar 22, 2024
• Modified: May 20, 2024

Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.

• CVE-2024-21662, CVE-2024-21652, and 2 more
• Affects: github.com/argoproj/argo-cd/v2
• Published: Mar 22, 2024
• Modified: May 20, 2024

An attacker can effectively bypass the rate limit and brute force protections in Argo CD by exploiting the application's weak cache-based mechanism. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account.

• GHSA-v8mx-hp2q-gw85
• Affects: github.com/go-vela/sdk-go
• Published: Jun 05, 2024
• Unreviewed

Golang SDK for Vela Insecure Variable Substitution in github.com/go-vela/sdk-go

• GHSA-7v38-w32m-wx4m
• Affects: github.com/go-vela/types
• Published: Jun 04, 2024
• Unreviewed

Types for Vela Insecure Variable Substitution in github.com/go-vela/types

• GHSA-69p4-j5v5-x234
• Affects: github.com/go-vela/server
• Published: Jun 04, 2024
• Unreviewed

Server/API for Vela Insecure Variable Substitution in github.com/go-vela/server

• GHSA-4jhj-3gv3-c3gr
• Affects: github.com/go-vela/cli
• Published: Jun 04, 2024
• Unreviewed

CLI for Vela Insecure Variable Substitution in github.com/go-vela/cli

• CVE-2024-28175, GHSA-jwv5-8mqv-g387
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Mar 22, 2024
• Modified: May 20, 2024

Due to the improper URL protocols filtering of links specified in the link.argocd.argoproj.io annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. A malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources.

• CVE-2024-27920, GHSA-w5wx-6g2r-r78q
• Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei

• CVE-2023-51699, GHSA-wx8q-4gm9-rj2g
• Affects: github.com/fluid-cloudnative/fluid
• Published: Jun 04, 2024
• Unreviewed

Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime in github.com/fluid-cloudnative/fluid

• CVE-2023-50726, GHSA-g623-jcgg-mhmm
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Mar 22, 2024
• Modified: May 20, 2024

An improper validation bug allows users who have create privileges to sync a local manifest during application creation. This allows for bypassing the restriction that the manifests come from some approved git/Helm/OCI source.

• CVE-2024-27102, GHSA-494h-9924-xww9
• Affects: github.com/pterodactyl/wings
• Published: Jun 04, 2024
• Unreviewed

Pterodactyl Wings vulnerable to improper isolation of server file access in github.com/pterodactyl/wings

• CVE-2024-28236, GHSA-pwx5-6wxg-px5h
• Affects: github.com/go-vela/worker
• Published: Jun 04, 2024
• Unreviewed

Insecure Variable Substitution in Vela in github.com/go-vela/worker

• GHSA-95rx-m9m5-m94v
• Affects: github.com/cosmos/cosmos-sdk
• Published: May 10, 2024
• Modified: May 20, 2024

The default ValidateVoteExtensions helper function infers total voting power based on the injected VoteExtension, which are injected by the proposer. If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state. Additional validation on injected VoteExtension data was added to confirm voting power against the state machine.

• CVE-2024-28197, GHSA-mq4x-r2w3-j7mr
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.44.3, from v2.45.0 before v2.45.1.

• CVE-2024-2352, GHSA-x2vg-5wrf-vj6v
• Affects: github.com/1Panel-dev/1Panel
• Published: Jun 04, 2024
• Unreviewed

1Panel is vulnerable to command injection in github.com/1Panel-dev/1Panel

• CVE-2024-1952, GHSA-r4fm-g65h-cr54
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Aug 19, 2024
• Unreviewed

Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server

• CVE-2024-28122, GHSA-hj3v-m684-v259
• Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
• Published: May 20, 2024

An attacker with a trusted public key may cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.

• CVE-2024-28180, GHSA-c5q2-7r4c-mv6g
• Affects: github.com/go-jose/go-jose/v4, github.com/go-jose/go-jose/v3, and 2 more
• Published: Mar 15, 2024
• Modified: May 20, 2024

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.

• CVE-2024-1442, GHSA-5mxf-42f5-j782
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.5.0 before v9.5.7, from v10.0.0 before v10.0.12, from v10.1.0 before v10.1.8, from v10.2.0 before v10.2.5, from v10.3.0 before v10.3.4.

• CVE-2024-28110, GHSA-5pf6-2qwx-pxm2
• Affects: github.com/cloudevents/sdk-go/v2
• Published: Mar 11, 2024
• Modified: May 20, 2024

Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact.

• CVE-2024-2048, GHSA-r3w7-mfpm-c2vw
• Affects: github.com/hashicorp/vault
• Published: Mar 14, 2024
• Modified: May 20, 2024

The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.

• CVE-2024-24765, GHSA-h5gf-cmm8-cg7c
• Affects: github.com/IceWhaleTech/CasaOS-UserService
• Published: Mar 11, 2024
• Modified: May 20, 2024

The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.

• CVE-2024-24766, GHSA-c967-2652-gfjm
• Affects: github.com/IceWhaleTech/CasaOS-UserService
• Published: Mar 14, 2024
• Modified: May 20, 2024

CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.

• CVE-2024-24767, GHSA-c69x-5xmw-v44x
• Affects: github.com/IceWhaleTech/CasaOS-UserService
• Published: Mar 18, 2024
• Modified: May 20, 2024

The CasaOS web application does not have protection against password brute force attacks. An attacker can use a password brute force attack to find and gain full access to the server. This vulnerability allows attackers to get super user-level access over the server.

• CVE-2024-27288, GHSA-26w3-q4j8-4xjp
• Affects: github.com/1Panel-dev/1Panel
• Published: Mar 14, 2024
• Modified: May 20, 2024

If the user attempts to access a secure entry point and intercepts with Burp, they can get access to the console page. This access does not return data nor allow modification operations.

• CVE-2024-2056
• Affects: github.com/gvalkov/tailon
• Published: Jun 10, 2024
• Unreviewed

Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon

• CVE-2024-24786, GHSA-8r3f-844c-mc37
• Affects: google.golang.org/protobuf
• Published: Mar 05, 2024
• Modified: May 20, 2024

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

• CVE-2024-24785
• Affects: html/template
• Published: Mar 05, 2024
• Modified: May 20, 2024

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

• CVE-2024-24784
• Affects: net/mail
• Published: Mar 05, 2024
• Modified: May 20, 2024

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

• CVE-2024-27916, GHSA-v627-69v2-xx37
• Affects: github.com/stacklok/minder
• Published: Mar 11, 2024
• Modified: May 20, 2024

A Minder user can use the endpoints to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have. The DB query used checks by repo owner, repo name and provider name (which is always "github"). These query values are not distinct for the particular user, as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. DeleteRepositoryByName uses the same query and a user can delete another user's repo using this technique. The GetArtifactByName endpoint also uses this DB query.

• CVE-2024-27304, GHSA-mrww-27vc-gghv, and 1 more
• Affects: github.com/jackc/pgproto3/v2, github.com/jackc/pgx, and 2 more
• Published: Mar 14, 2024
• Modified: Sep 13, 2024

An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.

• CVE-2024-27289, GHSA-m7wr-2xf7-cm9p
• Affects: github.com/jackc/pgx, github.com/jackc/pgx/v4
• Published: Mar 11, 2024
• Modified: Sep 13, 2024

SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.

• CVE-2024-27302, GHSA-fgxv-gw55-r5fq
• Affects: github.com/zeromicro/go-zero
• Published: Mar 11, 2024
• Modified: May 20, 2024

The CORS Filter feature in go-zero allows users to specify an array of domains allowed in the CORS policy. However, the isOriginAllowed function uses strings.HasSuffix to check the origin, which can lead to a bypass via a domain like "evil-victim.com". This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and retrieve data on behalf of other users.

• CVE-2024-27918, GHSA-7cc2-r658-7xpf
• Affects: github.com/coder/coder, github.com/coder/coder/v2
• Published: Mar 11, 2024
• Modified: May 20, 2024

A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like google.com). During OIDC registration, the user's email was improperly validated against the allowed CODER_OIDC_EMAIL_DOMAINs.

• CVE-2023-45289
• Affects: net/http, net/http/cookiejar
• Published: Mar 05, 2024
• Modified: May 20, 2024

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

• CVE-2023-45290
• Affects: net/textproto
• Published: Mar 05, 2024
• Modified: May 20, 2024

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.

• CVE-2024-24783
• Affects: crypto/x509
• Published: Mar 05, 2024
• Modified: May 20, 2024

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

• CVE-2024-27101, GHSA-h3m7-rqc4-7h9p
• Affects: github.com/authzed/spicedb
• Published: Jun 04, 2024
• Unreviewed

Integer overflow in chunking helper causes dispatching to miss elements or panic in github.com/authzed/spicedb

• CVE-2024-23488, GHSA-xgxj-j98c-59rv
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1953, GHSA-vm9m-57jr-4pxh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1888, GHSA-pfw6-5rx3-xh3c
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1942, GHSA-hwjf-4667-gqwx
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1887, GHSA-fx48-xv6q-6gp3
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-23493, GHSA-7v3v-984v-h74r
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-24988, GHSA-6mx3-9qfh-77gj
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1949, GHSA-3g35-v53r-gpxc
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost race condition in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2022-45786, GHSA-6p5q-h963-pwwf
• Affects: github.com/apache/age/drivers/golang
• Published: Mar 04, 2024
• Modified: May 20, 2024

SQL injection in github.com/apache/age/drivers/golang

• GHSA-86h5-xcpx-cfqc
• Affects: github.com/cosmos/cosmos-sdk
• Published: Mar 05, 2024
• Modified: May 20, 2024

Slashing evasion in github.com/cosmos/cosmos-sdk

• GHSA-x5r5-2qrx-rqj8
• Affects: github.com/edgelesssys/marblerun
• Published: Mar 04, 2024
• Modified: May 20, 2024

Encryption bypass in github.com/edgelesssys/marblerun

• CVE-2024-27093, GHSA-q6h8-4j2v-pjg4
• Affects: github.com/stacklok/minder
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/stacklok/minder before v0.20240226.1425.

• GHSA-fvv5-h29g-f6w5
• Affects: github.com/treeverse/lakefs
• Published: Jun 04, 2024
• Unreviewed

User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

• CVE-2024-26578, GHSA-9q24-hwmc-797x
• Affects: github.com/apache/incubator-answer
• Published: Jun 04, 2024
• Unreviewed

Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer

• CVE-2024-22393, GHSA-rmqp-mvv2-54c6
• Affects: github.com/apache/incubator-answer
• Published: Jun 04, 2024
• Unreviewed

Apache Answer Unrestricted Upload of File with Dangerous Type vulnerability in github.com/apache/incubator-answer

• CVE-2024-23349, GHSA-8pf2-qj4v-fj64
• Affects: github.com/apache/incubator-answer
• Published: Jun 04, 2024
• Unreviewed

Apache Answer Cross-site Scripting vulnerability in github.com/apache/incubator-answer

• CVE-2024-1485, GHSA-84xv-jfrm-h4gm
• Affects: github.com/devfile/registry-support/registry-library
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/devfile/registry-support/registry-library before v0.0.0-20240206.

• CVE-2024-26147, GHSA-r53h-jv2g-vpx6
• Affects: helm.sh/helm/v3
• Published: Jun 04, 2024
• Modified: Jul 01, 2024

Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3

• CVE-2024-25124, GHSA-fmg4-x8pw-hjhg
• Affects: github.com/gofiber/fiber/v2
• Published: May 20, 2024

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

• GHSA-4j93-fm92-rp4m
• Affects: github.com/cosmos/cosmos-sdk
• Published: May 28, 2024
• Modified: Jul 01, 2024

Missing BlockedAddressed Validation in Vesting Module in github.com/cosmos/cosmos-sdk

• GHSA-2557-x9mg-76w8
• Affects: github.com/cosmos/cosmos-sdk
• Published: May 22, 2024
• Modified: May 23, 2024

Invalid block proposal in github.com/cosmos/cosmos-sdk

• CVE-2024-25631, GHSA-x989-52fc-4vr4
• Affects: github.com/cilium/cilium
• Published: Jun 04, 2024
• Modified: Aug 19, 2024
• Unreviewed

Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium

• CVE-2024-25630, GHSA-7496-fgv9-xw82
• Affects: github.com/cilium/cilium
• Published: Jun 04, 2024
• Modified: Aug 19, 2024
• Unreviewed

Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium

• GHSA-fqpg-rq76-99pq
• Affects: github.com/jackc/pgx/v5
• Published: Jul 02, 2024
• Modified: Jul 09, 2024

Pipeline can panic when PgConn is busy or closed.

• CVE-2024-24776, GHSA-r833-w756-h5p2
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

• CVE-2024-21495, GHSA-c7vf-m394-m4x4
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Use of Insufficiently Random Values in github.com/greenpau/caddy-security

• CVE-2024-21493, GHSA-8h95-jcp5-pjpr
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Improper Validation of Array Index in github.com/greenpau/caddy-security

• CVE-2024-21500, GHSA-vfph-hjfv-cpv2
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security

• CVE-2024-21499, GHSA-r969-783f-6jqr
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security

• CVE-2024-21498, GHSA-93x8-66j2-wwr5
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Server-Side Request Forgery in github.com/greenpau/caddy-security

• CVE-2024-21497, GHSA-8hp3-rmr7-xh88
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Open Redirect in github.com/greenpau/caddy-security

• CVE-2024-21496, GHSA-ff72-ff42-c3gw
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Cross-site Scripting in github.com/greenpau/caddy-security

• CVE-2024-21494, GHSA-vj36-3ccr-6563
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Authentication Bypass by Spoofing in github.com/greenpau/caddy-security

• CVE-2024-21492, GHSA-vp66-gf7w-9m4x
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Insufficient Session Expiration in github.com/greenpau/caddy-security

• CVE-2024-23448, GHSA-8r33-q5j5-rh7g
• Affects: github.com/elastic/apm-server
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/elastic/apm-server before v8.12.1.

• CVE-2024-25620, GHSA-v53g-5gjp-272r
• Affects: helm.sh/helm/v3
• Published: Feb 29, 2024
• Modified: May 20, 2024

Path traversal in helm.sh/helm/v3

• CVE-2020-7924, GHSA-6cwm-wm82-hgrw
• Affects: github.com/mongodb/mongo-tools
• Published: Jun 28, 2024
• Modified: Jul 09, 2024

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates. NOTE: this module uses its own versioning scheme that is not fully compatible with standard Go module versioning, so the affected versions in this report may differ from the versions listed in other advisories. According to the advisory, the affected versions are as follows: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

• CVE-2023-52430, GHSA-xwmv-cx7p-fqfc
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security

• CVE-2024-1402, GHSA-32h7-7j94-8fc2
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

• CVE-2024-24774, GHSA-qr8f-cjw7-838m
• Affects: github.com/mattermost/mattermost-plugin-jira
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-plugin-jira before v4.0.0-rc1.

• CVE-2024-23319, GHSA-4fp6-574p-fc35
• Affects: github.com/mattermost/mattermost-plugin-jira
• Published: Mar 18, 2024
• Modified: Jul 09, 2024

Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira

• CVE-2024-1329, GHSA-c866-8gpw-p3mv
• Affects: github.com/hashicorp/nomad
• Published: Mar 04, 2024
• Modified: May 20, 2024

Symlink attack in github.com/hashicorp/nomad

• CVE-2023-22649, GHSA-xfj7-qf8w-2gcr
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.6.0 before v2.6.14, from v2.7.0 before v2.7.10, from v2.8.0 before v2.8.2.

• CVE-2023-32193, GHSA-r8f4-hv23-6qp6
• Affects: github.com/rancher/norman
• Published: Feb 20, 2024
• Modified: May 20, 2024

Cross-site scripting in public API in github.com/rancher/norman

• CVE-2023-32194, GHSA-c85r-fwc7-45vc
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.6.0 before v2.6.14, from v2.7.0 before v2.7.10, from v2.8.0 before v2.8.2.

• CVE-2023-32192, GHSA-833m-37f7-jq55
• Affects: github.com/rancher/apiserver
• Published: Feb 15, 2024
• Modified: May 20, 2024

Unauthenticated cross-site scripting in github.com/rancher/apiserver

• CVE-2024-1052, GHSA-vh73-q3rw-qx7w
• Affects: github.com/hashicorp/boundary
• Published: Jun 28, 2024
• Unreviewed

Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary

• CVE-2024-24768, GHSA-9xfw-jjq2-7v8h
• Affects: github.com/1Panel-dev/1Panel
• Published: Jun 28, 2024
• Unreviewed

1Panel set-cookie is missing the Secure keyword in github.com/1Panel-dev/1Panel

• GHSA-vjg6-93fv-qv64
• Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

• GHSA-pm3m-32r3-7mfh
• Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Etcd embed auto compaction retention negative value causing a compaction loop or a crash in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

• GHSA-j86v-2vjr-fg8f
• Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

• GHSA-5x4g-q5rc-36jp
• Affects: go.etcd.io/etcd
• Published: Jun 28, 2024
• Modified: Jul 09, 2024

The TLS ciphers list supported by etcd contains insecure cipher suites. Users may specify that an insecure cipher is used via “--cipher-suites” flag. A list of secure suites is used by default.

• CVE-2020-11110, GHSA-xr3x-62qw-vc4w
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana stored XSS in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v6.7.2.

• CVE-2019-14271, GHSA-v2cv-wwxq-qq97
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 28, 2024
• Modified: Jul 15, 2024

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

• CVE-2020-24303, GHSA-mvpr-q6rh-8vrp
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.1.0-beta1.

• CVE-2020-12459, GHSA-m25m-5778-fm22
• Affects: github.com/grafana/grafana
• Published: Jul 02, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana world readable configuration files in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v6.0.0 before v7.2.1.

• CVE-2020-12245, GHSA-ccmg-w4xm-p28v
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana XSS in header column rename in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v6.7.3.

• CVE-2018-18624, GHSA-9hv8-4frf-cprf
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana XSS via a column style in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.0.0.

• CVE-2020-13430, GHSA-7m2x-qhrq-rp8h
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.0.0.

• CVE-2020-25816, GHSA-57gg-cj55-q5g2
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault

• CVE-2020-12458, GHSA-3jq7-8ph8-63xm
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana information disclosure in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.2.1.

• CVE-2024-24557, GHSA-xw73-rw38-6vjc
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 28, 2024
• Modified: Jul 01, 2024

Classic builder cache poisoning in github.com/docker/docker

• CVE-2024-0831, GHSA-vgh3-mwxq-rcp8
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault

• CVE-2018-12099, GHSA-v5gq-qvjq-8p53
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Unreviewed

Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

• CVE-2021-3282, GHSA-rq95-xf66-j689
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault

• CVE-2020-35177, GHSA-rpgp-9hmg-j25x
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault

• CVE-2020-28053, GHSA-6m72-467w-94rh
• Affects: github.com/hashicorp/consul
• Published: Jun 28, 2024
• Unreviewed

Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul

• CVE-2020-25201, GHSA-496g-fr33-whrf
• Affects: github.com/hashicorp/consul
• Published: Jun 28, 2024
• Unreviewed

Denial of service in HashiCorp Consul in github.com/hashicorp/consul

• CVE-2021-41091, GHSA-3fwx-pjgw-3558
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 28, 2024
• Modified: Jul 01, 2024

Moby (Docker Engine) Insufficiently restricted permissions on data directory in github.com/docker/docker

• CVE-2024-24747, GHSA-xx8w-mq23-29g4
• Affects: github.com/minio/minio
• Published: Jun 28, 2024
• Unreviewed

Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio

• CVE-2024-23653, GHSA-wr6v-9f75-vh2g
• Affects: github.com/moby/buildkit
• Published: Feb 07, 2024
• Modified: May 20, 2024

BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.

• CVE-2023-44312, GHSA-r8xp-52mq-rmm8
• Affects: github.com/apache/servicecomb-service-center
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/apache/servicecomb-service-center before v2.2.0.

• CVE-2023-44313, GHSA-9xc9-xq7w-vpcr
• Affects: github.com/apache/servicecomb-service-center
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/apache/servicecomb-service-center before v2.2.0.

• CVE-2024-23652, GHSA-4v98-7qmw-rqr8
• Affects: github.com/moby/buildkit
• Published: Feb 12, 2024
• Modified: May 20, 2024

A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.

• CVE-2024-23651, GHSA-m3r6-h7wv-7xxv
• Affects: github.com/moby/buildkit
• Published: Feb 13, 2024
• Modified: May 20, 2024

Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.

• CVE-2024-23650, GHSA-9p26-698r-w4hx
• Affects: github.com/moby/buildkit
• Published: Feb 12, 2024
• Modified: May 20, 2024

A malicious BuildKit client or frontend could craft a request that could lead to a BuildKit daemon crashing with a panic.

• CVE-2024-21626, GHSA-xr7r-f8xq-vfvv
• Affects: github.com/opencontainers/runc
• Published: Jun 28, 2024
• Modified: Jul 01, 2024

Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc

• CVE-2024-24579, GHSA-hpxr-w9w7-g4gv
• Affects: github.com/anchore/stereoscope
• Published: Feb 13, 2024
• Modified: May 20, 2024

It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory.

• CVE-2020-16251, GHSA-4mp7-2m29-gqxf
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

HashiCorp Vault Authentication bypass in github.com/hashicorp/vault

• CVE-2020-10660, GHSA-m979-w9wj-qfj9
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

• CVE-2020-10661, GHSA-j6vv-vv26-rh7c
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

• CVE-2018-18625, GHSA-6wh2-8hw7-jw94
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Unreviewed

Grafana XSS via adding a link in General feature in github.com/grafana/grafana

• CVE-2024-23840, GHSA-h3q2-8whx-c29h
• Affects: github.com/goreleaser/goreleaser
• Published: Feb 13, 2024
• Modified: May 20, 2024

Secret values can be printed to the --debug log when using a a custom publisher.

• CVE-2024-23827, GHSA-xvq9-4vpv-227m
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/0xJacky/Nginx-UI before v2.0.0-beta.12.

• CVE-2024-23828, GHSA-qcjq-7f7v-pvc8
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/0xJacky/Nginx-UI before v2.0.0-beta.12.

• CVE-2024-23647, GHSA-mrx3-gxjx-hjqj
• Affects: goauthentik.io
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Authentik vulnerable to PKCE downgrade attack in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: goauthentik.io before v2023.8.7, from v2023.10.0 before v2023.10.7.

• CVE-2023-52354, GHSA-g4x3-mfpj-f335
• Affects: blitiri.com.ar/go/chasquid
• Published: Jun 28, 2024
• Unreviewed

chasquid HTTP Request/Response Smuggling vulnerability in github.com/albertito/chasquid in blitiri.com.ar/go/chasquid

• CVE-2024-23820, GHSA-rxpw-85vw-fx87
• Affects: github.com/openfga/openfga
• Published: Jun 28, 2024
• Unreviewed

OpenFGA denial of service in github.com/openfga/openfga

• CVE-2024-23656, GHSA-gr79-9v6v-gc9r
• Affects: github.com/dexidp/dex
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.

• CVE-2024-23332, GHSA-57wx-m636-g3g8
• Affects: github.com/notaryproject/notation
• Published: Jun 28, 2024
• Unreviewed

Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry

• GHSA-qr8r-m495-7hc4
• Affects: github.com/cometbft/cometbft
• Published: Jan 23, 2024
• Modified: May 20, 2024

A vulnerability in CometBFT’s validation logic for VoteExtensionsEnableHeight can result in a chain halt when triggered through a governance parameter change proposal on an ABCI2 Application Chain. If a parameter change proposal including a VoteExtensionsEnableHeight modification is passed, nodes running the affected versions may panic, halting the network.

• GHSA-f6jh-hvg2-9525
• Affects: github.com/kudelskisecurity/crystals-go
• Published: Jan 17, 2024
• Modified: Jun 03, 2024

Kyberslash timing attack possible in github.com/kudelskisecurity/crystals-go

• CVE-2022-3328, GHSA-cjqf-877p-7m3f
• Affects: github.com/snapcore/snapd
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

snapd Race Condition vulnerability in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.57.6.

• CVE-2023-49568, GHSA-mw99-9chc-xw7r
• Affects: gopkg.in/src-d/go-git.v4, github.com/go-git/go-git/v5
• Published: Jan 23, 2024
• Modified: May 20, 2024

Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4

• CVE-2024-22197, GHSA-pxmr-q2x3-9x9m
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jan 17, 2024
• Modified: May 20, 2024

Remote command execution in github.com/0xJacky/Nginx-UI

• CVE-2024-22196, GHSA-h374-mm57-879c
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jan 17, 2024
• Modified: May 20, 2024

SQL injection in github.com/0xJacky/Nginx-UI

• CVE-2024-22198, GHSA-8r25-68wm-jw35
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jan 30, 2024
• Modified: May 20, 2024

Arbitrary command execution in github.com/0xJacky/Nginx-UI

• CVE-2024-22199, GHSA-4mq2-gc4j-cmw6
• Affects: github.com/gofiber/template/django/v3
• Published: Jan 17, 2024
• Modified: May 20, 2024

Cross-site scripting in github.com/gofiber/template/django/v3

• CVE-2023-49295, GHSA-ppxx-5m9h-6vxf
• Affects: github.com/quic-go/quic-go
• Published: Jan 23, 2024
• Modified: May 20, 2024

Denial of service via path validation in github.com/quic-go/quic-go

• CVE-2023-6476, GHSA-p4rx-7wvg-fwrc
• Affects: github.com/cri-o/cri-o
• Published: Jun 28, 2024
• Unreviewed

CRI-O's pods can break out of resource confinement on cgroupv2 in github.com/cri-o/cri-o

• CVE-2023-49619, GHSA-f899-4mr4-fqpv
• Affects: github.com/apache/incubator-answer
• Published: Jun 28, 2024
• Unreviewed

Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer

• CVE-2023-49569, GHSA-449p-3h89-pw88
• Affects: gopkg.in/src-d/go-git.v4, github.com/go-git/go-git/v5
• Published: Jan 23, 2024
• Modified: May 20, 2024

Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4

• CVE-2024-21664, GHSA-pvcr-v8j8-j5q3
• Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
• Published: Jan 23, 2024
• Modified: May 20, 2024

Panic due to nil pointer dereference in github.com/lestrrat-go/jwx/v2

• GHSA-9763-4f94-gfch
• Affects: github.com/cloudflare/circl
• Published: Jan 18, 2024
• Modified: May 20, 2024

Timing side channel in github.com/cloudflare/circl

• Affects: github.com/bincyber/go-sqlcrypter
• Published: Jan 30, 2024
• Modified: May 20, 2024

There is a risk of an IV collision using the awskms or aesgcm provider. NIST SP 800-38D section 8.3 states that it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. The limit could easily be reached given the use case of database column encryption. Ciphertexts are likely to be persisted and stored together. IV collision could enable an attacker with access to the ciphertexts to decrypt all messages encrypted with the affected key. The aesgcm provider cannot be fixed without a breaking change, so users should not encrypt more than 2^32 values with any key. The awskms package can be fixed without a breaking change by switching to a counter-based IV.

• CVE-2023-47858, GHSA-w88v-pjr8-cmv2
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Sep 06, 2024
• Unreviewed

Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v7.8.10; github.com/mattermost/mattermost/server/v8 before v8.1.1.

• GHSA-vfxf-76hv-v4w4
• Affects: github.com/gravitational/teleport
• Published: Jun 28, 2024
• Modified: Aug 19, 2024
• Withdrawn: Jan 23, 2024
• Unreviewed

(withdrawn)

• CVE-2023-48732, GHSA-q7rx-w656-fwmv
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

• GHSA-hw4x-mcx5-9q36
• Affects: github.com/gravitational/teleport
• Published: Jun 28, 2024
• Modified: Aug 19, 2024
• Withdrawn: Jan 23, 2024
• Unreviewed

(withdrawn)

• CVE-2023-7113, GHSA-h3gq-j7p9-x3p4
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

• GHSA-c9v7-wmwj-vf6x
• Affects: github.com/gravitational/teleport
• Published: Jun 28, 2024
• Modified: Aug 19, 2024
• Withdrawn: Jan 23, 2024
• Unreviewed

(withdrawn)

• CVE-2023-50333, GHSA-9w97-9rqx-8v4j
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.7.

• GHSA-76cc-p55w-63g3
• Affects: github.com/gravitational/teleport
• Published: Jun 28, 2024
• Modified: Aug 19, 2024
• Withdrawn: Jan 23, 2024
• Unreviewed

(withdrawn)

• GHSA-7xg2-83f8-39mr
• Affects: github.com/karmada-io/karmada
• Published: Jun 28, 2024
• Unreviewed

The DES/3DES cipher was used as part of the TLS protocol by installation tools in github.com/karmada-io/karmada

• CVE-2023-43741, GHSA-r5hg-349q-mg2q
• Affects: github.com/buildkite/elastic-ci-stack-for-aws, github.com/buildkite/elastic-ci-stack-for-aws/v5, and 1 more
• Published: Jun 28, 2024
• Unreviewed

Buildkite Elastic CI for AWS time-of-check-time-of-use race condition vulnerability in github.com/buildkite/elastic-ci-stack-for-aws

• CVE-2023-46742, GHSA-vwch-g97w-hfg2
• Affects: github.com/cubefs/cubefs
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

CubeFS leaks users key in logs in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

• CVE-2023-46741, GHSA-8h2x-gr2c-c275
• Affects: github.com/cubefs/cubefs
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

CubeFS leaks magic secret key when starting Blobstore access service in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

• CVE-2023-46739, GHSA-8579-7p32-f398
• Affects: github.com/cubefs/cubefs
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

CubeFS timing attack can leak user passwords in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

• CVE-2023-46740, GHSA-4248-p65p-hcrm
• Affects: github.com/cubefs/cubefs
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Insecure random string generator used for sensitive data in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

• CVE-2023-46738, GHSA-qc6v-g3xw-grmx
• Affects: github.com/cubefs/cubefs
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Authenticated users can crash the CubeFS servers with maliciously crafted requests in github.com/cubefs/cubefs. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/cubefs/cubefs before v3.3.1.

• CVE-2023-5044, GHSA-fp9f-44c2-cw27
• Affects: k8s.io/ingress-nginx
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Ingress-nginx code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation in k8s.io/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: k8s.io/ingress-nginx before v1.9.0.

• CVE-2023-52081, GHSA-wpmx-564x-h2mh
• Affects: github.com/ewen-lbh/ffcss
• Published: Aug 21, 2024
• Unreviewed

ewen-lbh/ffcss Late-Unicode normalization vulnerability in github.com/ewen-lbh/ffcss

• CVE-2016-15036, GHSA-jpfp-xq3p-4h3r
• Affects: github.com/deis/workflow-manager
• Published: Aug 21, 2024
• Unreviewed

Deis Workflow Manager race condition vulnerability in github.com/deis/workflow-manager

• CVE-2023-51442, GHSA-wq59-4q6r-635r
• Affects: github.com/navidrome/navidrome
• Published: Aug 21, 2024
• Unreviewed

Authentication bypass vulnerability in navidrome's subsonic endpoint in github.com/navidrome/navidrome

• CVE-2023-49922, GHSA-hj4r-2c9c-29h3
• Affects: github.com/elastic/beats/v7
• Published: Jan 03, 2024
• Modified: May 20, 2024

Sensitive information logged in github.com/elastic/beats/v7

• GHSA-7ww5-4wqc-m92c
• Affects: github.com/containerd/containerd
• Published: Jan 02, 2024
• Modified: May 20, 2024

RAPL accessibility in github.com/containerd/containerd

• CVE-2023-50658, GHSA-mhpq-9638-x6pw, and 1 more
• Affects: github.com/dvsekhvalnov/jose2go
• Published: Dec 20, 2023
• Modified: Jul 02, 2024

An attacker controlled input of a PBES2 encrypted JWE blob can have a very large p2c value that, when decrypted, produces a denial-of-service.

• CVE-2023-48795, GHSA-45x7-px36-x8w8
• Affects: golang.org/x/crypto
• Published: Dec 18, 2023
• Modified: May 20, 2024

A protocol weakness allows a MITM attacker to compromise the integrity of the secure channel before it is established, allowing the attacker to prevent transmission of a number of messages immediately after the secure channel is established without either side being aware. The impact of this attack is relatively limited, as it does not compromise confidentiality of the channel. Notably this attack would allow an attacker to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a handful of newer security features. This protocol weakness was also fixed in OpenSSH 9.6.

• CVE-2023-50424, GHSA-92cg-ghq6-9587, and 1 more
• Affects: github.com/sap/cloud-security-client-go
• Published: Dec 16, 2023
• Modified: May 20, 2024

An unauthenticated attacker can obtain arbitrary permissions within the application under certain conditions.

• CVE-2023-6337, GHSA-6p62-6cg9-f5f5
• Affects: github.com/hashicorp/vault
• Published: Jan 03, 2024
• Modified: May 20, 2024

Unauthenticated and authenticated HTTP requests from a client will be attempted to be mapped to memory. Large requests may result in the exhaustion of available memory on the host, which may cause crashes and denial of service.

• GHSA-4rgc-5g6r-2rjf
• Affects: github.com/treeverse/lakefs
• Published: Aug 21, 2024
• Unreviewed

lakeFS logs S3 credentials in plain text in github.com/treeverse/lakefs

• GHSA-26hr-q2wp-rvc5
• Affects: github.com/treeverse/lakefs
• Published: Aug 21, 2024
• Unreviewed

User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs

• CVE-2023-50463, GHSA-rxg9-hgq7-8pwx
• Affects: github.com/shift72/caddy-geo-ip
• Published: Jan 02, 2024
• Modified: May 20, 2024

The caddy-geo-ip (aka GeoIP) middleware for Caddy 2 allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

• GHSA-v7hc-87jc-qrrr
• Affects: knative.dev/eventing-github
• Published: Aug 21, 2024
• Unreviewed

eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations in knative.dev/eventing-github

• CVE-2023-45292, GHSA-5mmw-p5qv-w3x5
• Affects: github.com/mojocn/base64Captcha
• Published: Dec 08, 2023
• Modified: May 20, 2024

When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.

• CVE-2023-26154, GHSA-5844-q3fc-56rh
• Affects: github.com/pubnub/go, github.com/pubnub/go/v5, and 3 more
• Published: Jan 02, 2024
• Modified: May 20, 2024

There is insufficient entropy in the implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt functions are less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. Users are encouraged to migrate to the new crypto package introduced in v7.2.0.

• CVE-2023-45285
• Affects: cmd/go
• Published: Dec 06, 2023
• Modified: May 20, 2024

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git:https://" protocol if the module is unavailable via the secure "https://" and "git+ssh:https://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module proxy and are fetching modules directly (i.e. GOPROXY=off).

• CVE-2023-39326
• Affects: net/http/internal
• Published: Dec 06, 2023
• Modified: May 20, 2024

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

• CVE-2023-47124, GHSA-8g85-whqh-cr2f
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Aug 21, 2024
• Unreviewed

Traefik vulnerable to potential DDoS via ACME HTTPChallenge in github.com/traefik/traefik

• CVE-2023-49292, GHSA-8j98-cjfr-qx3h
• Affects: github.com/ecies/go/v2
• Published: Dec 11, 2023
• Modified: May 20, 2024

An attacker may be able to recover private keys due to a bug in the ECDH function. The library does not check whether the provided public key is on the curve, which means that an attacker can create a public key that is not on the curve and use it to recover the private key. A workaround is to manually check that the public key is valid by calling the IsOnCurve function from the secp256k1 libraries.

• CVE-2023-49290, GHSA-7f9x-gw85-8grf
• Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
• Published: Dec 11, 2023
• Modified: May 20, 2024

The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c (PBES2 Count). This parameter dictates the number of PBKDF2 iterations needed to derive a CEK wrapping key. Its purpose is to intentionally slow down the key derivation function, making password brute-force and dictionary attacks more resource-intensive. However, if an attacker sets the p2c parameter in JWE to a very large number, it can cause excessive computational consumption.

• GHSA-j3rq-4xjw-xg63
• Affects: github.com/edgelesssys/marblerun
• Published: Aug 21, 2024
• Unreviewed

Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks

• CVE-2023-47633, GHSA-6fwg-jrfw-ff7p
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Aug 21, 2024
• Unreviewed

Traefik docker container using 100% CPU in github.com/traefik/traefik

• CVE-2023-47106, GHSA-fvhj-4qfh-q2hm
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Aug 21, 2024
• Unreviewed

Traefik incorrectly processes fragment in the URL, leads to Authorization Bypass in github.com/traefik/traefik

• CVE-2023-45287
• Affects: crypto/tls
• Published: Dec 05, 2023
• Modified: May 20, 2024

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

• CVE-2023-48713, GHSA-qmvj-4qr9-v547
• Affects: knative.dev/serving
• Published: Aug 21, 2024
• Unreviewed

Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler in knative.dev/serving

• CVE-2023-48312, GHSA-fpvw-6m5v-hqfp
• Affects: github.com/projectcapsule/capsule-proxy
• Published: Aug 21, 2024
• Unreviewed

Capsule Proxy Authentication bypass using an empty token in github.com/projectcapsule/capsule-proxy

• CVE-2023-2980, GHSA-j327-c69h-4gh8
• Affects: github.com/pydio/cells, github.com/pydio/cells/v4
• Published: Aug 21, 2024
• Unreviewed

Abstrium Pydio Cells Resource Injection vulnerability in github.com/pydio/cells

• CVE-2023-5528, GHSA-hq6q-c2x6-hmch
• Affects: k8s.io/kubernetes
• Published: Aug 21, 2024
• Unreviewed

Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes

• CVE-2023-47630, GHSA-3hfq-cx9j-923w
• Affects: github.com/kyverno/kyverno
• Published: Aug 21, 2024
• Unreviewed

Attacker can cause Kyverno user to unintentionally consume insecure image in github.com/kyverno/kyverno

• CVE-2023-42816, GHSA-4mp4-46gq-hv3r
• Affects: github.com/kyverno/kyverno
• Published: Aug 21, 2024
• Unreviewed

Denial of service from malicious signature in kyverno in github.com/kyverno/kyverno

• CVE-2023-42815, GHSA-hjpv-68f4-2262
• Affects: github.com/kyverno/kyverno
• Published: Aug 21, 2024
• Unreviewed

Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno

• CVE-2023-42814, GHSA-9g37-h7p2-2c6r
• Affects: github.com/kyverno/kyverno
• Published: Aug 21, 2024
• Unreviewed

Denial of service from malicious image manifest in kyverno in github.com/kyverno/kyverno

• CVE-2023-42813, GHSA-wc3x-5rfv-hh5v
• Affects: github.com/kyverno/kyverno
• Published: Aug 21, 2024
• Unreviewed

Denial of service from malicious manifest in kyverno in github.com/kyverno/kyverno

• GHSA-2c7c-3mj9-8fqh
• Affects: github.com/go-jose/go-jose/v3, github.com/square/go-jose
• Published: Nov 21, 2023
• Modified: May 20, 2024

The go-jose package is subject to a "billion hashes attack" causing denial-of-service when decrypting JWE inputs. This occurs when an attacker can provide a PBES2 encrypted JWE blob with a very large p2c value that, when decrypted, produces a denial-of-service.

• GHSA-rjjm-x32p-m3f7
• Affects: github.com/consensys/gnark
• Published: Nov 15, 2023
• Modified: May 20, 2024

Range checker gadget allows wider inputs than allowed in github.com/consensys/gnark

• CVE-2023-47122, GHSA-xvrc-2wvh-49vc
• Affects: github.com/sigstore/gitsign
• Published: Aug 21, 2024
• Unreviewed

Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign

• CVE-2023-47108, GHSA-8pgv-569h-w5rw
• Affects: go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
• Published: Jun 27, 2024

The grpc Unary Server Interceptor created by the otelgrpc package added the labels net.peer.sock.addr and net.peer.sock.port with unbounded cardinality. This can lead to the server's potential memory exhaustion when many malicious requests are sent. This leads to a denial-of-service.

• CVE-2023-3676, GHSA-7fxm-f474-hf8w
• Affects: k8s.io/kubernetes
• Published: Aug 21, 2024
• Unreviewed

Kubernetes privilege escalation vulnerability in k8s.io/kubernetes

• CVE-2023-5954, GHSA-4qhc-v8r6-8vwm
• Affects: github.com/hashicorp/vault
• Published: Aug 21, 2024
• Unreviewed

HashiCorp Vault Missing Release of Memory after Effective Lifetime vulnerability in github.com/hashicorp/vault

• CVE-2023-45286, GHSA-xwh9-gc39-5298
• Affects: github.com/go-resty/resty/v2
• Published: Nov 27, 2023
• Modified: May 20, 2024

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request. The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.

• GHSA-r2xv-vpr2-42m9
• Affects: github.com/slsa-framework/slsa-verifier, github.com/slsa-framework/slsa-verifier/v2
• Published: Aug 21, 2024
• Unreviewed

slsa-verifier vulnerable to mproper validation of npm's publish attestations in github.com/slsa-framework/slsa-verifier

• CVE-2023-45284
• Affects: path/filepath
• Published: Nov 08, 2023
• Modified: May 20, 2024

On Windows, The IsLocal function does not correctly detect reserved device names in some cases. Reserved names followed by spaces, such as "COM1 ", and reserved names "COM" and "LPT" followed by superscript 1, 2, or 3, are incorrectly reported as local. With fix, IsLocal now correctly reports these names as non-local.

• CVE-2023-45283
• Affects: path/filepath, internal/safefilepath, and 1 more
• Published: Nov 08, 2023
• Modified: May 20, 2024

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.

• CVE-2023-46737, GHSA-vfp6-jrw2-99g9
• Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
• Published: Nov 09, 2023
• Modified: May 20, 2024

An attacker who controls a remote registry can return a high number of attestations and/or signatures to cosign. This can cause cosign to enter a long loop resulting in a denial of service, i.e., endless data attack.

• CVE-2023-3893, GHSA-r6cc-7wj7-gfx2
• Affects: github.com/kubernetes-csi/csi-proxy, github.com/kubernetes-csi/csi-proxy/v2
• Published: Aug 21, 2024
• Unreviewed

Kubernetes csi-proxy vulnerable to privilege escalation due to improper input validation in github.com/kubernetes-csi/csi-proxy

• CVE-2023-3955, GHSA-q78c-gwqw-jcmc
• Affects: k8s.io/kubernetes
• Published: Aug 21, 2024
• Unreviewed

Kubernetes privilege escalation vulnerability in k8s.io/kubernetes

• CVE-2023-46255, GHSA-jg7w-cxjv-98c2
• Affects: github.com/authzed/spicedb
• Published: Aug 21, 2024
• Unreviewed

SpiceDB leaks information in log files when URI cannot be parsed in github.com/authzed/spicedb

• CVE-2023-46129, GHSA-mr45-rx8q-wcm9
• Affects: github.com/nats-io/nkeys
• Published: Nov 02, 2023
• Modified: May 20, 2024

Curve KeyPairs always use the same (all-zeros) key to encrypt data, and provide no security.

• CVE-2023-41891, GHSA-r847-6w6h-r8g4
• Affects: github.com/flyteorg/flyteadmin
• Published: Nov 02, 2023
• Modified: May 20, 2024

A malicious user can send a REST request to a List endpoint with filters that contain custom SQL statements. This can result in SQL injection.

• CVE-2023-46239, GHSA-3q6m-v84f-6p9h
• Affects: github.com/quic-go/quic-go
• Published: Nov 02, 2023
• Modified: May 20, 2024

The QUIC handshake can cause a panic when processing a certain sequence of frames. A malicious peer can deliberately trigger this panic.

• CVE-2021-25736, GHSA-35c7-w35f-xwgh
• Affects: k8s.io/kubernetes
• Published: Aug 21, 2024
• Unreviewed

Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes

• CVE-2023-4457, GHSA-37x5-qpm8-53rq
• Affects: github.com/grafana/google-sheets-datasource
• Published: Nov 02, 2023
• Modified: May 20, 2024

Error messages for the Google Sheets data source plugin were improperly sanitized. The Google Sheet API-key could potentially be exposed.

• GHSA-w6rp-vxj2-fjhr
• Affects: github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v4, github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/v5, and 1 more
• Published: Aug 21, 2024
• Unreviewed

Cosmos packet-forward-middleware vulnerable to chain-halt in github.com/cosmos/ibc-apps/middleware/packet-forward-middleware

• GHSA-m425-mq94-257g
• Affects: google.golang.org/grpc
• Published: Nov 01, 2023
• Modified: May 20, 2024

An attacker can send HTTP/2 requests, cancel them, and send subsequent requests. This is valid by the HTTP/2 protocol, but would cause the gRPC-Go server to launch more concurrent method handlers than the configured maximum stream limit, grpc.MaxConcurrentStreams. This results in a denial of service due to resource consumption.

• CVE-2023-45825, GHSA-q24m-6h38-5xj8
• Affects: github.com/ydb-platform/ydb-go-sdk/v3
• Published: Oct 24, 2023
• Modified: May 20, 2024

A custom credentials object that does not implement the fmt.Stringer interface may leak sensitive information (e.g., credentials) via logs.

• CVE-2023-45823, GHSA-hmq4-c2r4-5q8h
• Affects: github.com/artifacthub/hub
• Published: Aug 21, 2024
• Unreviewed

Artifact Hub arbitrary file read vulnerability in github.com/artifacthub/hub

• CVE-2023-45821, GHSA-g6pq-x539-7w4j
• Affects: github.com/artifacthub/hub
• Published: Aug 21, 2024
• Unreviewed

Artifact Hub has Incorrect Docker Hub registry check in github.com/artifacthub/hub

• CVE-2023-45822, GHSA-9pc8-m4vp-ggvf
• Affects: github.com/artifacthub/hub
• Published: Aug 21, 2024
• Unreviewed

Artifact Hub allows unsafe rego built-in in github.com/artifacthub/hub

• CVE-2023-47090, GHSA-fr2g-9hjm-wr23
• Affects: github.com/nats-io/nats-server/v2
• Published: Oct 24, 2023
• Modified: May 20, 2024

Without any authorization rules in the nats-server, users can connect without authentication. Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside accounts go into the newer "accounts" block. If an "accounts" block is defined, in simple deployment scenarios this is often used only to enable client access to the system account. When the only account added is the system account "$SYS", the nats-server would create an implicit user in "$G" and set it as the "no_auth_user" account, enabling the same "without authentication" logic as without any rules. This preserved the ability to connect simply, and then add one authenticated login for system access. But with an "authorization" block, this is wrong. Users exist in the global account, with login rules. And in simple testing, they might still connect fine without administrators seeing that authentication has been disabled. In the fixed versions, using an "authorization" block will inhibit the implicit creation of a "$G" user and setting it as the "no_auth_user" target. In unfixed versions, just creating a second account, with no users, will also inhibit this behavior.

• CVE-2023-1943, GHSA-8gwj-m6vh-2g6j
• Affects: k8s.io/kops
• Published: Aug 21, 2024
• Unreviewed

kOps privilege escalation vulnerability in k8s.io/kops

• CVE-2023-45810, GHSA-hr4f-6jh8-f2vq
• Affects: github.com/openfga/openfga
• Published: Aug 21, 2024
• Unreviewed

OpenFGA DoS vulnerability in github.com/openfga/openfga

• GHSA-7p92-x423-vwj6
• Affects: github.com/consensys/gnark
• Published: Oct 24, 2023
• Modified: May 20, 2024

A a third party may derive a valid proof from a valid initial tuple {proof, public_inputs}, corresponding to the same public inputs as the initial proof. This vulnerability is due to randomness being generated using a small part of the scratch memory describing the state, allowing for degrees of freedom in the transcript. Note that the impact is limited to the PlonK verifier smart contract.

• CVE-2023-45141, GHSA-mv73-f69x-444p
• Affects: github.com/gofiber/fiber/v2
• Published: Oct 24, 2023
• Modified: May 20, 2024

A cross-site request forgery vulnerability can allow an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The CSRF token is validated against tokens in storage but was is not tied to the original requestor that generated it, allowing for token reuse.

• CVE-2023-45128, GHSA-94w9-97p3-p368
• Affects: github.com/gofiber/fiber/v2
• Published: Oct 24, 2023
• Modified: May 20, 2024

A cross-site request forgery vulnerability in this package can allow an attacker to inject arbitrary values and forge malicious requests on behalf of a user. The attacker may inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. For 'safe' methods, the token is extracted from the cookie and saved to storage without further validation or sanitization. In addition, the CSRF token is validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.

• CVE-2023-45683, GHSA-267v-3v32-g6q5
• Affects: github.com/crewjam/saml
• Published: Oct 24, 2023
• Modified: May 20, 2024

The package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the ACS endpoint definition, achieving Cross-Site-Scripting (XSS) in the IdP context during the redirection at the end of a SAML SSO Flow. Consequently, an attacker may perform any authenticated action as the victim once the victim's browser loads the SAML IdP initiated SSO link for the malicious service provider.

• CVE-2023-45142, GHSA-rcjv-mgp8-qvmr
• Affects: go.opentelemetry.io/contrib/instrumentation/github.com/emicklei/go-restful/otelrestful, go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin, and 5 more
• Published: Oct 16, 2023
• Modified: May 20, 2024

Memory exhaustion in go.opentelemetry.io/contrib/instrumentation

• CVE-2023-20902, GHSA-mq6f-5xh5-hgcf
• Affects: github.com/goharbor/harbor
• Published: Aug 21, 2024
• Unreviewed

Harbor timing attack risk in github.com/goharbor/harbor

• CVE-2023-39325, GHSA-4374-p667-p6c8
• Affects: net/http, golang.org/x/net
• Published: Oct 11, 2023
• Modified: May 20, 2024

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

• GHSA-pffg-92cg-xf5c
• Affects: github.com/consensys/gnark-crypto
• Published: Oct 09, 2023
• Modified: May 20, 2024

Incorrect exponentiation results in github.com/consensys/gnark-crypto

• CVE-2023-44378, GHSA-498w-5j49-vqjg
• Affects: github.com/consensys/gnark
• Published: Oct 09, 2023
• Modified: May 20, 2024

Unsoundness in variable comparison / non-unique binary decomposition in github.com/consensys/gnark

• CVE-2023-43809, GHSA-mc97-99j4-vm2v
• Affects: github.com/charmbracelet/soft-serve
• Published: Aug 21, 2024
• Unreviewed

Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled in github.com/charmbracelet/soft-serve

• CVE-2023-44273, GHSA-9xfq-8j3r-xp5g
• Affects: github.com/consensys/gnark-crypto
• Published: Oct 05, 2023
• Modified: May 20, 2024

Signature malleability in github.com/consensys/gnark-crypto

• CVE-2023-39323
• Affects: cmd/go
• Published: Oct 05, 2023
• Modified: May 20, 2024

Line directives ("//line") can be used to bypass the restrictions on "//go:cgo_" directives, allowing blocked linker and compiler flags to be passed during compilation. This can result in unexpected execution of arbitrary code when running "go build". The line directive requires the absolute path of the file in which the directive lives, which makes exploiting this issue significantly more complex.

• CVE-2023-5077, GHSA-86c6-3g63-5w64
• Affects: github.com/hashicorp/vault
• Published: Aug 21, 2024
• Unreviewed

Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability in github.com/hashicorp/vault

• CVE-2023-40026, GHSA-6jqw-jwf5-rp8h
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Aug 21, 2024
• Unreviewed

Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server in github.com/argoproj/argo-cd

• CVE-2023-43645, GHSA-2hm9-h873-pgqh
• Affects: github.com/openfga/openfga
• Published: Aug 21, 2024
• Unreviewed

OpenFGA Vulnerable to DoS from circular relationship definitions in github.com/openfga/openfga

• CVE-2023-41333, GHSA-4xp2-w642-7mcx
• Affects: github.com/cilium/cilium
• Published: Aug 21, 2024
• Unreviewed

Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

• CVE-2023-41332, GHSA-24m5-r6hv-ccgp
• Affects: github.com/cilium/cilium
• Published: Aug 21, 2024
• Unreviewed

Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

• CVE-2023-39347, GHSA-gj2r-phwg-6rww
• Affects: github.com/cilium/cilium
• Published: Aug 21, 2024
• Unreviewed

Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

• CVE-2023-43644, GHSA-r5hm-mp3j-285g
• Affects: github.com/sagernet/sing
• Published: Oct 02, 2023
• Modified: May 20, 2024

Authentication bypass in github.com/sagernet/sing

• CVE-2022-3962, GHSA-6f4m-j56w-55c3
• Affects: github.com/kiali/kiali
• Published: Aug 21, 2024
• Unreviewed

Kiali content spoofing vulnerability in github.com/kiali/kiali

• CVE-2023-42821, GHSA-m9xq-6h2j-65r2
• Affects: github.com/gomarkdown/markdown
• Published: Sep 22, 2023
• Modified: May 20, 2024

Parser out-of-bounds read caused by a malformed markdown input in github.com/gomarkdown/markdown

• CVE-2023-43619, GHSA-ppjh-xp5v-46wc
• Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
• Published: Aug 21, 2024
• Unreviewed

Croc sender may send dangerous new files to receiver in github.com/schollz/croc

• CVE-2023-43617, GHSA-hp56-xvf4-g6wr
• Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
• Published: Aug 21, 2024
• Unreviewed

Cros secrets may be disclosed to untrusted relay in github.com/schollz/croc

• CVE-2023-43616, GHSA-8c8w-f7wp-2jr2
• Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
• Published: Aug 21, 2024
• Unreviewed

Sender can cause a receiver to overwrite files during ZIP extraction in Croc in github.com/schollz/croc

• CVE-2023-43618, GHSA-7mp6-929p-pqhj
• Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
• Published: Aug 21, 2024
• Unreviewed

Croc requires senders to provide local IP addresses in cleartext in github.com/schollz/croc

• CVE-2023-43621, GHSA-7g3v-4ggr-xvjf
• Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
• Published: Aug 21, 2024
• Unreviewed

Croc may expose secret to local users in github.com/schollz/croc

• CVE-2023-43620, GHSA-364c-vvqx-446c
• Affects: github.com/schollz/croc, github.com/schollz/croc/v6, and 2 more
• Published: Aug 21, 2024
• Unreviewed

Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device in github.com/schollz/croc

• CVE-2023-37279, GHSA-x4hh-vjm7-g2jv
• Affects: github.com/contribsys/faktory
• Published: Aug 21, 2024
• Unreviewed

Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input in github.com/contribsys/faktory

• CVE-2022-28357, GHSA-vpjc-4jcv-jc29
• Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
• Published: Aug 21, 2024
• Unreviewed

NATS nats-server allows directory traversal via unintended path to a management action in github.com/nats-io/nats-server

• CVE-2023-5036, GHSA-2g7r-9xq5-c6hv
• Affects: github.com/usememos/memos
• Published: Aug 21, 2024
• Unreviewed

Cross-Site Request Forgery (CSRF) in usememos/memos in github.com/usememos/memos

• CVE-2023-4680, GHSA-v84f-6r39-cpfc
• Affects: github.com/hashicorp/vault
• Published: Aug 21, 2024
• Unreviewed

HashiCorp Vault Improper Input Validation vulnerability in github.com/hashicorp/vault

• CVE-2023-4782, GHSA-h626-pv66-hhm7
• Affects: github.com/hashicorp/terraform
• Published: Aug 21, 2024
• Unreviewed

Terraform allows arbitrary file write during the `init` operation in github.com/hashicorp/terraform

• CVE-2023-41318, GHSA-5crw-6j7v-xc72
• Affects: github.com/turt2live/matrix-media-repo
• Published: Aug 21, 2024
• Unreviewed

matrix-media-repo: Unsafe media served inline on download endpoints in github.com/turt2live/matrix-media-repo

• CVE-2023-41338, GHSA-3q5p-3558-364f
• Affects: github.com/gofiber/fiber/v2
• Published: Sep 12, 2023
• Modified: May 20, 2024

The Ctx.IsFromLocal function can incorrectly report a request as being sent from localhost when the request contains an X-Forwarded-For header containing a localhost IP address.

• CVE-2023-4815, GHSA-pj2h-85jq-g5vg
• Affects: github.com/answerdev/answer
• Published: Aug 21, 2024
• Unreviewed

Answer Missing Authentication for Critical Function in github.com/answerdev/answer

• CVE-2023-40584, GHSA-g687-f2gx-6wm8
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Aug 21, 2024
• Unreviewed

Argo CD repo-server Denial of Service vulnerability in github.com/argoproj/argo-cd

• CVE-2023-40029, GHSA-fwr2-64vr-xv9m
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Aug 21, 2024
• Unreviewed

Argo CD cluster secret might leak in cluster details page in github.com/argoproj/argo-cd

• GHSA-6xv5-86q9-7xr8
• Affects: github.com/cyphar/filepath-securejoin
• Published: Sep 13, 2023
• Modified: May 20, 2024

Certain rootfs and path combinations result in generated paths that are outside of the provided rootfs on Windows.

• CVE-2023-40591, GHSA-ppjg-v974-84cm
• Affects: github.com/ethereum/go-ethereum
• Published: Oct 25, 2023
• Modified: May 20, 2024

Unbounded memory consumption in github.com/ethereum/go-ethereum

• CVE-2023-39322
• Affects: crypto/tls
• Published: Sep 07, 2023
• Modified: May 20, 2024

QUIC connections do not set an upper bound on the amount of data buffered when reading post-handshake messages, allowing a malicious QUIC connection to cause unbounded memory growth. With fix, connections now consistently reject messages larger than 65KiB in size.

• CVE-2023-39321
• Affects: crypto/tls
• Published: Sep 07, 2023
• Modified: May 20, 2024

Processing an incomplete post-handshake message for a QUIC connection can cause a panic.

• CVE-2023-39319
• Affects: html/template
• Published: Sep 07, 2023
• Modified: May 20, 2024

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack.

• CVE-2023-39320
• Affects: cmd/go
• Published: Sep 07, 2023
• Modified: May 20, 2024

The go.mod toolchain directive, introduced in Go 1.21, can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software.

• CVE-2023-39318
• Affects: html/template
• Published: Sep 07, 2023
• Modified: May 20, 2024

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack.

• CVE-2023-4696, GHSA-j2gj-g3p9-7mrr
• Affects: github.com/usememos/memos
• Published: Aug 21, 2024
• Unreviewed

Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos in github.com/usememos/memos

• CVE-2023-4697, GHSA-5j6p-59cj-j6cp
• Affects: github.com/usememos/memos
• Published: Aug 21, 2024
• Unreviewed

usememos/memos vulnerable to privilege escalation in github.com/usememos/memos

• CVE-2023-40579, GHSA-jcf2-mxr2-gmqp
• Affects: github.com/openfga/openfga
• Published: Aug 21, 2024
• Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

• CVE-2023-37469, GHSA-92vc-4fcw-g68q
• Affects: github.com/IceWhaleTech/CasaOS
• Published: Aug 21, 2024
• Unreviewed

CasaOS Command Injection vulnerability in github.com/IceWhaleTech/CasaOS

• CVE-2023-32079, GHSA-826j-8wp2-4x6q
• Affects: github.com/gravitl/netmaker
• Published: Aug 21, 2024
• Unreviewed

Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User in github.com/gravitl/netmaker

• CVE-2023-40583, GHSA-gcq9-qqwx-rgj3
• Affects: github.com/libp2p/go-libp2p
• Published: Sep 13, 2023
• Modified: May 20, 2024

A malicious actor can store an arbitrary amount of data in the memory of a remote node by sending the node a message with a signed peer record. Signed peer records from randomly generated peers can be sent by a malicious actor. This memory does not get garbage collected and so the remote node can run out of memory (OOM).

• CVE-2023-32078, GHSA-256m-j5qw-38f4
• Affects: github.com/gravitl/netmaker
• Published: Aug 21, 2024
• Unreviewed

Netmaker IDOR Allows User to Update Other User's Password in github.com/gravitl/netmaker

• CVE-2023-32077, GHSA-8x8h-hcq8-jwwx
• Affects: github.com/gravitl/netmaker
• Published: Aug 21, 2024
• Unreviewed

Netmaker has Hardcoded DNS Secret Key in github.com/gravitl/netmaker

• CVE-2023-40577, GHSA-v86x-5fm3-5p7j
• Affects: github.com/prometheus/alertmanager
• Published: Aug 21, 2024
• Unreviewed

Alertmanager UI is vulnerable to stored XSS via the /api/v1/alerts endpoint in github.com/prometheus/alertmanager

• CVE-2023-40025, GHSA-c8xw-vjgf-94hr
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Aug 21, 2024
• Unreviewed

Argo CD web terminal session doesn't expire in github.com/argoproj/argo-cd

• CVE-2023-38976, GHSA-8697-479h-5mfp
• Affects: github.com/weaviate/weaviate
• Published: Nov 02, 2023
• Modified: May 20, 2024

A type conversion issue in Weaviate may allow a remote attack that would cause a denial of service.

• CVE-2023-40034, GHSA-4gcf-5m39-98mc
• Affects: github.com/woodpecker-ci/woodpecker
• Published: Aug 21, 2024
• Unreviewed

Woodpecker does not validate webhook before changing any data in github.com/woodpecker-ci/woodpecker

• GHSA-9phh-r37v-34wh
• Affects: github.com/treeverse/lakefs
• Published: Aug 21, 2024
• Unreviewed

lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

• CVE-2023-40023, GHSA-xvhg-w6qc-m3qq
• Affects: github.com/yaklang/yaklang
• Published: Aug 21, 2024
• Unreviewed

Yaklang Plugin's Fuzztag Component Allows Unauthorized Local File Reading in github.com/yaklang/yaklang

• CVE-2023-39966, GHSA-hf7j-xj3w-87g4
• Affects: github.com/1Panel-dev/1Panel
• Published: Aug 21, 2024
• Unreviewed

1Panel arbitrary file write vulnerability in github.com/1Panel-dev/1Panel

• CVE-2023-39965, GHSA-85cf-gj29-f555
• Affects: github.com/1Panel-dev/1Panel
• Published: Aug 21, 2024
• Unreviewed

1Panel Arbitrary File Download vulnerability in github.com/1Panel-dev/1Panel

• CVE-2023-39964, GHSA-pv7q-v9mv-9mh5
• Affects: github.com/1Panel-dev/1Panel
• Published: Aug 21, 2024
• Unreviewed

1Panel O&M management panel has a background arbitrary file reading vulnerability in github.com/1Panel-dev/1Panel

• GHSA-8c37-7qx3-4c4p
• Affects: github.com/supranational/blst
• Published: Aug 10, 2023
• Modified: May 20, 2024

When complemented with a check for infinity, blst skips performing a signature group-check. Formally speaking, infinity is the identity element of the elliptic curve group and as such it is a member of the group, so the group-check should be performed. The fix performs the check even in the presence of infinity.

• CVE-2023-4125, GHSA-j63x-f657-2m9g
• Affects: github.com/answerdev/answer
• Published: Aug 21, 2024
• Unreviewed

Answer has Weak Password Requirements in github.com/answerdev/answer

• CVE-2023-39533, GHSA-876p-8259-xjgg
• Affects: github.com/libp2p/go-libp2p
• Published: Aug 08, 2023
• Modified: May 20, 2024

Large RSA keys can lead to resource exhaustion attacks. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits.

• CVE-2022-38795, GHSA-8j3v-68w3-3848
• Affects: code.gitea.io/gitea
• Published: Aug 21, 2024
• Unreviewed

Gitea erroneous repo clones in code.gitea.io/gitea

• CVE-2023-37896, GHSA-2xx4-jj5v-6mff
• Affects: github.com/projectdiscovery/nuclei/v2
• Published: Aug 23, 2023
• Modified: May 20, 2024

Improper path sanitization in sandbox mode in github.com/projectdiscovery/nuclei/v2

• CVE-2023-4124, GHSA-v9vc-7x69-c2x8
• Affects: github.com/answerdev/answer
• Published: Aug 21, 2024
• Unreviewed

Answer Missing Authorization vulnerability in github.com/answerdev/answer

• CVE-2023-4126, GHSA-ggcf-hwxp-rc77
• Affects: github.com/answerdev/answer
• Published: Aug 20, 2024
• Unreviewed

Answer Insufficient Session Expiration vulnerability in github.com/answerdev/answer

• CVE-2023-4127, GHSA-52h8-c876-989c
• Affects: github.com/answerdev/answer
• Published: Aug 20, 2024
• Unreviewed

Answer has Race Condition within a Thread in github.com/answerdev/answer

• CVE-2019-1010275, GHSA-x6r5-vxfg-gq3v
• Affects: helm.sh/helm
• Published: Aug 20, 2024
• Unreviewed

Helm Improper Certificate Validation in helm.sh/helm

• CVE-2019-11841, GHSA-x3jr-pf6g-c48f
• Affects: golang.org/x/crypto
• Published: Aug 23, 2023
• Modified: May 20, 2024

The clearsign package accepts some malformed messages, making it possible for an attacker to trick a human user (but not a Go program) into thinking unverified text is part of the message. With fix, messages with malformed headers in the SIGNED MESSAGE section are rejected.

• CVE-2019-12274, GHSA-gc62-j469-9gjm
• Affects: github.com/rancher/rancher
• Published: Aug 20, 2024
• Unreviewed

Rancher Privilege Escalation Vulnerability in github.com/rancher/rancher

• CVE-2023-29407, GHSA-j3p8-6mrq-6g7h
• Affects: golang.org/x/image
• Published: Aug 02, 2023
• Modified: May 20, 2024

A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.

• CVE-2023-29408, GHSA-x92r-3vfx-4cv3
• Affects: golang.org/x/image
• Published: Aug 02, 2023
• Modified: May 20, 2024

The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.

• CVE-2023-3978, GHSA-2wrh-6pvc-2jm9
• Affects: golang.org/x/net
• Published: Aug 02, 2023
• Modified: May 20, 2024

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

• CVE-2023-29409
• Affects: crypto/tls
• Published: Aug 02, 2023
• Modified: May 20, 2024

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <= 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in circulation with keys larger than this, and all three appear to be test certificates that are not actively deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so causing breakage here in the interests of increasing the default safety of users of crypto/tls seems reasonable.

• CVE-2023-3462, GHSA-9v3w-w2jh-4hff
• Affects: github.com/hashicorp/vault
• Published: Aug 20, 2024
• Unreviewed

HashiCorp Vault and Vault Enterprise vulnerable to user enumeration in github.com/hashicorp/vault

• CVE-2015-7561, GHSA-2h9c-34v6-3qmr
• Affects: k8s.io/kubernetes
• Published: Aug 20, 2024
• Unreviewed

Kubernetes in OpenShift3 Access Control Misconfiguration in k8s.io/kubernetes

• CVE-2020-24710, GHSA-9c9w-9pq7-f35h
• Affects: github.com/gophish/gophish
• Published: Aug 20, 2024
• Unreviewed

Gophish vulnerable to Server-Side Request Forgery in github.com/gophish/gophish

• CVE-2023-38495, GHSA-pj4x-2xr5-w87m
• Affects: github.com/crossplane/crossplane
• Published: Aug 20, 2024
• Unreviewed

Possible image tampering from missing image validation for Packages in github.com/crossplane/crossplane

• CVE-2023-37900, GHSA-68p4-95xf-7gx8
• Affects: github.com/crossplane/crossplane
• Published: Aug 20, 2024
• Unreviewed

Denial of service from large image in github.com/crossplane/crossplane

• CVE-2017-1002102, GHSA-mm7g-f2gg-cw8g
• Affects: k8s.io/kubernetes
• Published: Aug 20, 2024
• Unreviewed

Kubernetes arbitrary file overwrite in k8s.io/kubernetes

• CVE-2017-7297, GHSA-w3x4-9854-95x8
• Affects: github.com/rancher/rancher
• Published: Aug 20, 2024
• Unreviewed

Rancher Access Control Vulnerability in github.com/rancher/rancher

• CVE-2018-17031, GHSA-px5r-fqj6-r2f8
• Affects: gogs.io/gogs
• Published: Aug 20, 2024
• Unreviewed

Gogs XSS Vulnerability in gogs.io/gogs

• CVE-2018-15192, GHSA-fg3x-rwq9-74cw
• Affects: code.gitea.io/gitea, gogs.io/gogs
• Published: Aug 20, 2024
• Unreviewed

Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea

• CVE-2023-38496, GHSA-mmx5-32m4-wxvx
• Affects: github.com/apptainer/apptainer
• Published: Aug 20, 2024
• Unreviewed

Ineffective privileges drop when requesting container network in github.com/apptainer/apptainer

• CVE-2018-10856, GHSA-wp7w-vx86-vj9h
• Affects: github.com/containers/podman, github.com/containers/podman/v2, and 2 more
• Published: Aug 20, 2024
• Unreviewed

Podman Elevated Container Privileges in github.com/containers/podman

• CVE-2018-1002103, GHSA-6pcv-qqx4-mxm3
• Affects: k8s.io/minikube
• Published: Aug 20, 2024
• Unreviewed

Minikube RCE via DNS Rebinding in k8s.io/minikube

• CVE-2018-1002100, GHSA-2jq6-ffph-p4h8
• Affects: k8s.io/kubernetes
• Published: Aug 20, 2024
• Unreviewed

Kubernetes arbitrary file overwrite in k8s.io/kubernetes

• CVE-2023-37916, GHSA-87f6-8gr7-pc6h
• Affects: github.com/KubeOperator/kubepi
• Published: Aug 20, 2024
• Unreviewed

KubePi may leak password hash of any user in github.com/KubeOperator/kubepi

• CVE-2023-37917, GHSA-757p-vx43-fp9r
• Affects: github.com/KubeOperator/kubepi
• Published: Aug 20, 2024
• Unreviewed

KubePi Privilege Escalation vulnerability in github.com/KubeOperator/kubepi

• CVE-2023-37918, GHSA-59m6-82qm-vqgj
• Affects: github.com/dapr/dapr
• Published: Aug 20, 2024
• Unreviewed

Dapr API token authentication bypass in HTTP endpoints in github.com/dapr/dapr

• CVE-2018-21034, GHSA-xj7v-c82w-92q2
• Affects: github.com/argoproj/argo-cd
• Published: Aug 20, 2024
• Unreviewed

Argo Exposure of Sensitive Information in github.com/argoproj/argo-cd

• CVE-2018-15598, GHSA-2cjc-rgmp-x649
• Affects: github.com/traefik/traefik
• Published: Aug 20, 2024
• Unreviewed

Traefik Missing Authentication in github.com/traefik/traefik

• CVE-2019-1000008, GHSA-xrxm-mvqm-r553
• Affects: helm.sh/helm
• Published: Aug 20, 2024
• Unreviewed

Helm Path Traversal in helm.sh/helm

• CVE-2019-1002100, GHSA-q4rr-64r9-fwgf
• Affects: k8s.io/kubernetes
• Published: Aug 20, 2024
• Modified: Aug 21, 2024
• Unreviewed

Kubernetes DoS Vulnerability in k8s.io/kubernetes

• CVE-2019-8336, GHSA-fhm8-cxcv-pwvc
• Affects: github.com/hashicorp/consul
• Published: Aug 20, 2024
• Unreviewed

HashiCorp Consul Access Restriction Bypass in github.com/hashicorp/consul

• CVE-2019-18466, GHSA-r34v-gqmw-qvgj
• Affects: github.com/containers/libpod, github.com/containers/podman, and 3 more
• Published: Aug 20, 2024
• Unreviewed

Podman Symlink Vulnerability in github.com/containers/libpod

• CVE-2023-37788, GHSA-4r8x-2p26-976p
• Affects: github.com/elazarl/goproxy
• Published: Jul 31, 2023
• Modified: May 20, 2024

An invalid request can cause a panic when running in MITM mode.

• CVE-2023-37477, GHSA-p9xf-74xh-mhw5
• Affects: github.com/1Panel-dev/1Panel
• Published: Aug 20, 2024
• Unreviewed

1Panel command injection vulnerability in Firewall ip functionality in github.com/1Panel-dev/1Panel

• CVE-2020-14457, GHSA-j2h2-cvwh-cr64
• Affects: github.com/mattermost/mattermost, github.com/mattermost/mattermost-server, and 1 more
• Published: Aug 20, 2024
• Unreviewed

Mattermost Server Sensitive Data Exposure in github.com/mattermost/mattermost

• CVE-2019-18658, GHSA-p5pc-m4q7-7qm9
• Affects: helm.sh/helm
• Published: Aug 20, 2024
• Unreviewed

Helm Unsafe Link Following in helm.sh/helm

• CVE-2019-16146, GHSA-9h9f-9q8g-6764
• Affects: github.com/gophish/gophish
• Published: Aug 20, 2024
• Unreviewed

Gophish XSS Vulnerability in github.com/gophish/gophish

• CVE-2023-37265, GHSA-vjh7-5r6x-xh6g
• Affects: github.com/IceWhaleTech/CasaOS-Gateway
• Published: Aug 20, 2024
• Unreviewed

CasaOS Gateway vulnerable to incorrect identification of source IP addresses in github.com/IceWhaleTech/CasaOS-Gateway