Go Vulnerability Database
Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.
Search
Recent Reports
GO-2024-2631
- CVE-2024-28180, GHSA-c5q2-7r4c-mv6g
- Affects: github.com/go-jose/go-jose/v4, github.com/go-jose/go-jose/v3, and 2 more
- Published: Mar 15, 2024
An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.
GO-2024-2618
- CVE-2024-28110, GHSA-5pf6-2qwx-pxm2
- Affects: github.com/cloudevents/sdk-go/v2
- Published: Mar 11, 2024
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact.
GO-2024-2617
- CVE-2024-2048, GHSA-r3w7-mfpm-c2vw
- Affects: github.com/hashicorp/vault
- Published: Mar 14, 2024
The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.
GO-2024-2616
- CVE-2024-24765, GHSA-h5gf-cmm8-cg7c
- Affects: github.com/IceWhaleTech/CasaOS-UserService
- Published: Mar 11, 2024
The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.
GO-2024-2615
- CVE-2024-24766, GHSA-c967-2652-gfjm
- Affects: github.com/IceWhaleTech/CasaOS-UserService
- Published: Mar 14, 2024
CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.