Vulnerability Reports

• CVE-2025-24366, GHSA-vj7w-3m8c-6vpx
• Affects: github.com/drakkan/sftpgo, github.com/drakkan/sftpgo/v2
• Published: Feb 07, 2025
• Unreviewed

SFTPGo has insufficient sanitization of user provided rsync command in github.com/drakkan/sftpgo. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

• CVE-2025-24787, GHSA-c7w4-9wv8-7x7c
• Affects: github.com/clidey/whodb/core
• Published: Feb 07, 2025
• Unreviewed

WhoDB allows parameter injection in DB connection URIs leading to local file inclusion in github.com/clidey/whodb/core

• CVE-2025-24786, GHSA-9r4c-jwx3-3j76
• Affects: github.com/clidey/whodb/core
• Published: Feb 07, 2025
• Unreviewed

WhoDB has a path traversal opening Sqlite3 database in github.com/clidey/whodb/core

• GHSA-vqv5-385r-2hf8
• Affects: github.com/edgelesssys/contrast
• Published: Feb 05, 2025
• Unreviewed

Contrast's unauthenticated recovery allows Coordinator impersonation in github.com/edgelesssys/contrast

• GHSA-mj4v-hp69-27x5
• Affects: github.com/plentico/plenti
• Published: Feb 05, 2025
• Unreviewed

Plenti - Code Injection - Denial of Services in github.com/plentico/plenti

• Affects: github.com/boltdb-go/bolt
• Published: Feb 05, 2025

This module is a malicious typosquat, attempting to take advantage of confusion with the github.com/boltdb/bolt module.

• GHSA-w7wm-2425-7p2h
• Affects: github.com/edgelesssys/marblerun
• Published: Feb 05, 2025
• Unreviewed

MarbleRun unauthenticated recovery allows Coordinator impersonation in github.com/edgelesssys/marblerun

• GHSA-mx2j-7cmv-353c
• Affects: github.com/CosmWasm/wasmvm, github.com/CosmWasm/wasmvm/v2
• Published: Feb 05, 2025
• Unreviewed

wasmvm: Malicious smart contract can slow down block production in github.com/CosmWasm/wasmvm

• GHSA-23qp-3c2m-xx6w
• Affects: github.com/CosmWasm/wasmvm, github.com/CosmWasm/wasmvm/v2
• Published: Feb 05, 2025
• Unreviewed

wasmvm: Malicious smart contract can crash the chain in github.com/CosmWasm/wasmvm

• CVE-2025-22866
• Affects: crypto/internal/nistec
• Published: Feb 06, 2025

Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.

• CVE-2024-47770
• Affects: github.com/wazuh/wazuh
• Published: Feb 04, 2025
• Unreviewed

Ability to view Agent list with no privilege access in wazuh-dashboard in github.com/wazuh/wazuh

• CVE-2024-35177
• Affects: github.com/wazuh/wazuh
• Published: Feb 04, 2025
• Unreviewed

Improper Access Control in wazuh-agent in github.com/wazuh/wazuh

• GHSA-r3r4-g7hq-pq4f
• Affects: github.com/cometbft/cometbft
• Published: Feb 04, 2025
• Unreviewed

CometBFT allows a malicious peer to stall the network by disseminating seemingly valid block parts in github.com/cometbft/cometbft

• CVE-2025-24371, GHSA-22qq-3xwm-r5x4
• Affects: github.com/cometbft/cometbft
• Published: Feb 04, 2025
• Unreviewed

CometBFT allows a malicious peer to make node stuck in blocksync in github.com/cometbft/cometbft

• CVE-2024-11741, GHSA-wxcc-2f3q-4h58
• Affects: github.com/grafana/grafana
• Published: Feb 04, 2025
• Unreviewed

Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v10.4.15, from v11.0.0 before v11.0.11, from v11.1.0 before v11.1.11, from v11.2.0 before v11.2.6, from v11.3.0 before v11.3.3, from v11.4.0 before v11.4.1.

• GHSA-274v-mgcv-cm8j
• Affects: github.com/argoproj/gitops-engine
• Published: Feb 04, 2025
• Unreviewed

Argo CD GitOps Engine does not scrub secret values from patch errors in github.com/argoproj/gitops-engine

• CVE-2025-24883, GHSA-q26p-9cq4-7fc2
• Affects: github.com/ethereum/go-ethereum
• Published: Feb 04, 2025
• Unreviewed

Go Ethereum vulnerable to DoS via malicious p2p message in github.com/ethereum/go-ethereum

• CVE-2025-24784, GHSA-756x-m4mj-q96c
• Affects: github.com/kubewarden/kubewarden-controller
• Published: Feb 04, 2025
• Unreviewed

Kubewarden-Controller information leak via AdmissionPolicyGroup Resource in github.com/kubewarden/kubewarden-controller

• CVE-2025-24376, GHSA-fc89-jghx-8pvg
• Affects: github.com/kubewarden/kubewarden-controller
• Published: Feb 04, 2025
• Unreviewed

KubeWarden's AdmissionPolicy and AdmissionPolicyGroup policies can be used to alter PolicyReport resources in github.com/kubewarden/kubewarden-controller

• CVE-2025-23216, GHSA-47g2-qmh2-749v
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Feb 04, 2025
• Unreviewed

Argo CD does not scrub secret values from patch errors in github.com/argoproj/argo-cd

• CVE-2025-24884, GHSA-hcr5-wv4p-h2g2
• Affects: github.com/RichardoC/kube-audit-rest
• Published: Feb 04, 2025
• Unreviewed

kube-audit-rest's example logging configuration could disclose secret values in the audit log in github.com/RichardoC/kube-audit-rest

• CVE-2025-22867
• Affects: cmd/go
• Published: Feb 06, 2025

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special values in a "#cgo LDFLAGS" directive. This issue only affected go1.24rc2.

• CVE-2024-13484, GHSA-58fx-7v9q-3g56
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jan 29, 2025
• Unreviewed

ArgoCD Namespace Isolation Break in github.com/argoproj/argo-cd

• CVE-2025-0750, GHSA-hp5j-2585-qx6g
• Affects: github.com/cri-o/cri-o
• Published: Jan 29, 2025
• Unreviewed

CRI-O Path Traversal vulnerability in github.com/cri-o/cri-o

• CVE-2025-24369
• Affects: github.com/Xe/x
• Published: Jan 29, 2025
• Unreviewed

Anubis has a bot protection bypass when a sophisticated attacker asks to pass a challenge of difficulty 0 in github.com/Xe/x. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/Xe/x before v1.11.0-37-gd98d70a.

• CVE-2025-24354
• Affects: github.com/imgproxy/imgproxy, github.com/imgproxy/imgproxy/v2, and 1 more
• Published: Jan 28, 2025
• Unreviewed

imgproxy is vulnerable to SSRF against 0.0.0.0 in github.com/imgproxy/imgproxy

• CVE-2025-22865
• Affects: crypto/x509
• Published: Jan 28, 2025
• Modified: Jan 30, 2025

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

• CVE-2024-45336
• Affects: net/http
• Published: Jan 28, 2025
• Modified: Jan 30, 2025

The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.

• CVE-2025-24355, GHSA-v34r-vj4r-38j6
• Affects: github.com/updatecli/updatecli
• Published: Jan 28, 2025
• Unreviewed

Updatecli exposes Maven credentials in console output in github.com/updatecli/updatecli

• CVE-2025-24030, GHSA-j777-63hf-hx76
• Affects: github.com/envoyproxy/gateway
• Published: Jan 28, 2025
• Unreviewed

Envoy Admin Interface Exposed through prometheus metrics endpoint in github.com/envoyproxy/gateway

• CVE-2025-23047, GHSA-h78m-j95m-5356
• Affects: github.com/cilium/cilium
• Published: Jan 28, 2025
• Unreviewed

Cilium has an information leakage via insecure default Hubble UI CORS header in github.com/cilium/cilium

• CVE-2025-23028, GHSA-9m5p-c77c-f9j7
• Affects: github.com/cilium/cilium
• Published: Jan 28, 2025
• Unreviewed

DoS in Cilium agent DNS proxy from crafted DNS responses in github.com/cilium/cilium

• CVE-2024-11218, GHSA-5vpc-35f4-r8w6
• Affects: github.com/containers/buildah
• Published: Jan 28, 2025
• Unreviewed

Buildah allows build breakout using malicious Containerfiles and concurrent builds in github.com/containers/buildah

• CVE-2025-0377, GHSA-wpfp-cm49-9m9q
• Affects: github.com/hashicorp/go-slug
• Published: Jan 28, 2025
• Unreviewed

HashiCorp go-slug Vulnerable to Zip Slip Attack in github.com/hashicorp/go-slug

• CVE-2024-10846, GHSA-36gq-35j3-p9r9
• Affects: github.com/compose-spec/compose-go/v2
• Published: Jan 29, 2025

Excessive resource consumption when unmarshalling Compose file with recursive loop in github.com/compose-spec/compose-go/v2

• CVE-2025-24337, GHSA-3qc3-mx6x-267h
• Affects: github.com/writefreely/writefreely
• Published: Jan 28, 2025
• Unreviewed

Insecure default config access in WriteFreely in github.com/writefreely/writefreely

• CVE-2025-23208, GHSA-c9p4-xwr9-rfhx
• Affects: zotregistry.dev/zot
• Published: Jan 28, 2025
• Unreviewed

Zot IdP group membership revocation ignored in zotregistry.dev/zot. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: zotregistry.dev/zot before v2.1.2.

• Affects: github.com/hashicorp/yamux
• Published: Jan 29, 2025
• Modified: Feb 05, 2025
• Withdrawn: Feb 05, 2025

(withdrawn)

• CVE-2025-20621, GHSA-w6xh-c82w-h997
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jan 17, 2025
• Unreviewed

Mattermost webapp crash via a crafted post in github.com/mattermost/mattermost-server

• CVE-2024-36403, GHSA-vc2m-hw89-qjxf
• Affects: github.com/t2bot/matrix-media-repo
• Published: Jan 16, 2025
• Unreviewed

matrix-media-repo (MMR) allows denial of service/high operating costs through unauthenticated downloads in github.com/t2bot/matrix-media-repo

• CVE-2024-56515, GHSA-rcxc-wjgw-579r
• Affects: github.com/t2bot/matrix-media-repo
• Published: Jan 16, 2025
• Unreviewed

Matrix Media Repo (MMR) allows untrusted file formats can be thumbnailed, invoking potentially further untrusted decoders in github.com/t2bot/matrix-media-repo

• CVE-2024-52602, GHSA-r6jg-jfv6-2fjv
• Affects: github.com/t2bot/matrix-media-repo
• Published: Jan 16, 2025
• Unreviewed

Matrix Media Repo (MMR) allows Server-Side Request Forgery (SSRF) on redirects and federation in github.com/t2bot/matrix-media-repo

• CVE-2024-52791, GHSA-gp86-q8hg-fpxj
• Affects: github.com/t2bot/matrix-media-repo
• Published: Jan 16, 2025
• Unreviewed

matrix-media-repo (MMR) allows a denial of service through memory exhaustion in github.com/t2bot/matrix-media-repo

• CVE-2024-36402, GHSA-8vmr-h7h5-cqhg
• Affects: github.com/t2bot/matrix-media-repo
• Published: Jan 16, 2025
• Unreviewed

matrix-media-repo (MMR) allows unauthenticated writes to the media repository, which may allow planting of problematic content in github.com/t2bot/matrix-media-repo

• CVE-2024-52594
• Affects: github.com/matrix-org/gomatrixserverlib
• Published: Jan 16, 2025

Server-Side Request Forgery (SSRF) on redirects and federation in github.com/matrix-org/gomatrixserverlib

• CVE-2025-20088, GHSA-45v9-w9fh-33j6
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jan 16, 2025
• Unreviewed

Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server

• CVE-2025-21088, GHSA-8j3q-gc9x-7972
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jan 16, 2025
• Unreviewed

Mattermost Incorrect Type Conversion or Cast in github.com/mattermost/mattermost-server

• CVE-2025-20086, GHSA-5m7j-6gc4-ff5g
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jan 16, 2025
• Unreviewed

Mattermost fails to properly validate post props in github.com/mattermost/mattermost-server

• CVE-2024-52281, GHSA-2v2w-8v8c-wcm9
• Affects: github.com/rancher/rancher
• Published: Jan 15, 2025
• Unreviewed

Rancher UI has Stored Cross-site Scripting vulnerability in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.9.0 before v2.9.4.

• CVE-2024-53263, GHSA-q6r2-x2cc-vrp7
• Affects: github.com/git-lfs/git-lfs, github.com/git-lfs/git-lfs/v3
• Published: Jan 15, 2025

Git LFS permits exfiltration of credentials via crafted HTTP URLs in github.com/git-lfs/git-lfs

• CVE-2024-56323, GHSA-32q6-rr98-cjqv
• Affects: github.com/openfga/openfga
• Published: Jan 14, 2025
• Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

• CVE-2024-45340
• Affects: cmd/go
• Published: Jan 28, 2025
• Modified: Jan 30, 2025

Credentials provided via the new GOAUTH feature were not being properly segmented by domain, allowing a malicious server to request credentials they should not have access to. By default, unless otherwise set, this only affected credentials stored in the users .netrc file.

• CVE-2024-51491, GHSA-qjh3-4j3h-vmwp
• Affects: github.com/notaryproject/notation-go
• Published: Jan 14, 2025
• Unreviewed

notation-go has an OS error when setting CRL cache leads to denial of signature verification in github.com/notaryproject/notation-go

• CVE-2024-56138, GHSA-45v3-38pc-874v
• Affects: github.com/notaryproject/notation-go
• Published: Jan 14, 2025
• Unreviewed

notation-go's timestamp signature generation lacks certificate revocation check in github.com/notaryproject/notation-go

• CVE-2025-22445, GHSA-7rgp-4j56-fm79
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jan 09, 2025
• Unreviewed

Mattermost has Improper Check for Unusual or Exceptional Conditions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

• CVE-2025-20033, GHSA-2549-xh72-qrpm
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jan 09, 2025
• Unreviewed

Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server from v9.11.0 before v9.11.16.

• CVE-2025-22449, GHSA-q8fg-cp3q-5jwm
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jan 09, 2025
• Unreviewed

Mattermost Incorrect Authorization vulnerability in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-server before v9.11.16.

• CVE-2025-22149, GHSA-675f-rq2r-jw82
• Affects: github.com/MicahParks/jwkset
• Published: Jan 09, 2025
• Unreviewed

JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh in github.com/MicahParks/jwkset

• CVE-2025-22130, GHSA-j4jw-m6xr-fv6c
• Affects: github.com/charmbracelet/soft-serve
• Published: Jan 08, 2025
• Unreviewed

Soft Serve vulnerable to path traversal attacks in github.com/charmbracelet/soft-serve

• CVE-2024-45341
• Affects: crypto/x509
• Published: Jan 28, 2025
• Modified: Jan 30, 2025

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.

• CVE-2024-45339, GHSA-6wxm-mpqj-6jpf
• Affects: github.com/golang/glog
• Published: Jan 28, 2025
• Modified: Jan 29, 2025

When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and overwrite that sensitive file. To fix that, glog now causes the program to exit (with status code 2) when it finds that the configured log file already exists.

• GHSA-2r2v-9pf8-6342
• Affects: github.com/h44z/wg-portal
• Published: Jan 08, 2025
• Unreviewed

WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover in github.com/h44z/wg-portal. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/h44z/wg-portal from v2.0.0-alpha.1 before v2.0.0-alpha.3.

• CVE-2025-21613, GHSA-v725-9546-7q7m
• Affects: github.com/go-git/go-git/v5, github.com/go-git/go-git/v4, and 1 more
• Published: Jan 07, 2025

Argument Injection via the URL field in github.com/go-git/go-git

• CVE-2025-21614, GHSA-r9px-m959-cxf4
• Affects: github.com/go-git/go-git/v4, github.com/go-git/go-git/v5, and 1 more
• Published: Jan 07, 2025

Clients vulnerable to DoS via maliciously crafted Git server replies in github.com/go-git/go-git

• CVE-2024-56513, GHSA-mg7w-c9x2-xh7r
• Affects: github.com/karmada-io/karmada
• Published: Jan 07, 2025
• Unreviewed

Karmada PULL Mode Cluster Privilege Escalation in github.com/karmada-io/karmada

• CVE-2024-56514, GHSA-cwrh-575j-8vr3
• Affects: github.com/karmada-io/karmada
• Published: Jan 07, 2025
• Unreviewed

Karmada Tar Slips in CRDs archive extraction in github.com/karmada-io/karmada

• CVE-2025-21609, GHSA-8fx8-pffw-w498
• Affects: github.com/siyuan-note/siyuan/kernel
• Published: Jan 07, 2025
• Unreviewed

SiYuan has an arbitrary file deletion vulnerability in github.com/siyuan-note/siyuan/kernel

• CVE-2024-55196, GHSA-rv83-h68q-c4wq
• Affects: github.com/gophish/gophish
• Published: Jan 07, 2025
• Unreviewed

GoPhish sends cleartext passwords in github.com/gophish/gophish

• CVE-2024-25133, GHSA-wgqq-9qh8-wvqv
• Affects: github.com/openshift/hive
• Published: Jan 07, 2025
• Unreviewed

OpenShift Hive RCE through AWS/Kubernetes client configuration leads to privilege escalation in github.com/openshift/hive

• CVE-2024-28892, GHSA-5qww-56gc-f66c
• Affects: github.com/mayuresh82/gocast
• Published: Jan 07, 2025
• Unreviewed

GoCast OS Command Injection vulnerability in github.com/mayuresh82/gocast

• CVE-2024-45387, GHSA-vq94-9pfv-ccqr
• Affects: github.com/apache/trafficcontrol, github.com/apache/trafficcontrol/v8
• Published: Jan 07, 2025
• Unreviewed

SQL injection in Apache Traffic Control in github.com/apache/trafficcontrol

• CVE-2024-56362, GHSA-xwx7-p63r-2rj8
• Affects: github.com/navidrome/navidrome
• Published: Jan 07, 2025
• Unreviewed

Navidrome Stores JWT Secret in Plaintext in navidrome.db in github.com/navidrome/navidrome

• CVE-2024-55947, GHSA-qf5v-rp47-55gg
• Affects: gogs.io/gogs
• Published: Jan 07, 2025
• Unreviewed

Path Traversal in file update API in gogs in gogs.io/gogs

• CVE-2024-54148, GHSA-r7j8-5h9c-f6fx
• Affects: gogs.io/gogs
• Published: Jan 07, 2025
• Unreviewed

Remote Command Execution in file editing in gogs in gogs.io/gogs

• CVE-2024-12678, GHSA-hr68-hvgv-xxqf
• Affects: github.com/hashicorp/nomad
• Published: Dec 20, 2024
• Unreviewed

Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad

• GHSA-5pf6-cq2v-23ww
• Affects: github.com/clidey/whodb/core
• Published: Dec 20, 2024
• Unreviewed

WhoDB Allows Unbounded Memory Consumption in Authentication Middleware Can Lead to Denial of Service in github.com/clidey/whodb/core

• CVE-2024-25131, GHSA-77c2-c35q-254w
• Affects: github.com/openshift/must-gather
• Published: Dec 20, 2024
• Unreviewed

OpenShift Must Gather Operator Improper Input Validation vulnerability in github.com/openshift/must-gather. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/openshift/must-gather before v0.0.0-20240604173837-d1557bc283dd.

• GHSA-32gq-x56h-299c
• Affects: filippo.io/age
• Published: Dec 20, 2024
• Modified: Dec 20, 2024

Malicious plugin names, recipients, or identities causing arbitrary binary execution in filippo.io/age

• CVE-2024-9779, GHSA-jhh6-6fhp-q2xp
• Affects: open-cluster-management.io/ocm
• Published: Dec 20, 2024
• Unreviewed

Open Cluster Management vulnerable to Trust Boundary Violation in open-cluster-management.io/ocm

• GHSA-hxr6-2p24-hf98
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Dec 20, 2024
• Unreviewed

Traefik affected by CVE-2024-53259 in github.com/traefik/traefik

• CVE-2024-54682, GHSA-v647-h8jj-fw5r
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Dec 18, 2024
• Unreviewed

Mattermost Data Amplification vulnerability in github.com/mattermost/mattermost-server

• GHSA-8wcc-m6j2-qxvm
• Affects: cosmossdk.io/x/tx, github.com/cosmos/cosmos-sdk
• Published: Dec 18, 2024
• Modified: Dec 20, 2024

Transaction decoding may result in a stack overflow or resource exhaustion in github.com/cosmos/cosmos-sdk

• CVE-2024-48872, GHSA-826h-p4c3-477p
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Dec 18, 2024
• Unreviewed

Mattermost Race Condition vulnerability in github.com/mattermost/mattermost-server

• CVE-2024-54083, GHSA-69pr-78gv-7c6h
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Dec 18, 2024
• Unreviewed

Mattermost Improper Validation of Specified Type of Input vulnerability in github.com/mattermost/mattermost-server

• CVE-2024-55949, GHSA-cwq8-g58r-32hg
• Affects: github.com/minio/minio
• Published: Dec 18, 2024
• Unreviewed

MinIO vulnerable to privilege escalation in IAM import API in github.com/minio/minio

• CVE-2024-12289, GHSA-xx83-cxmq-x89m
• Affects: github.com/hashicorp/boundary
• Published: Dec 18, 2024
• Unreviewed

Boundary Community Edition Incorrectly Handles HTTP Requests On Initialization Which May Lead to a Denial of Service in github.com/hashicorp/boundary

• CVE-2024-28053, GHSA-qqc8-rv37-79q5
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Dec 18, 2024
• Unreviewed

Mattermost Server Resource Exhaustion in github.com/mattermost/mattermost-server

• CVE-2024-45338, GHSA-w32m-9786-jp63
• Affects: golang.org/x/net
• Published: Dec 18, 2024
• Modified: Dec 20, 2024

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

• CVE-2024-55885, GHSA-9j3m-fr7q-jxfw
• Affects: github.com/beego/beego, github.com/beego/beego/v2
• Published: Dec 18, 2024

Beego has Collision Hazards of MD5 in Cache Key Filenames in github.com/beego/beego

• GHSA-7prj-hgx4-2xc3
• Affects: github.com/ryanbekhen/nanoproxy
• Published: Dec 13, 2024
• Unreviewed

Potential Vulnerabilities Due to Outdated golang.org/x/crypto Dependency in NanoProxy in github.com/ryanbekhen/nanoproxy

• CVE-2024-55657, GHSA-xx68-37v4-4596
• Affects: github.com/siyuan-note/siyuan/kernel
• Published: Dec 12, 2024
• Unreviewed

SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel

• CVE-2024-55659, GHSA-fqj6-whhx-47p7
• Affects: github.com/siyuan-note/siyuan/kernel
• Published: Dec 12, 2024
• Unreviewed

SiYuan has an arbitrary file write in the host via /api/asset/upload in github.com/siyuan-note/siyuan/kernel

• GHSA-c7xh-gjv4-4jgv
• Affects: github.com/kcp-dev/kcp
• Published: Dec 12, 2024
• Unreviewed

kcp's impersonation allows access to global administrative groups in github.com/kcp-dev/kcp

• CVE-2024-55660, GHSA-4pjc-pwgq-q9jp
• Affects: github.com/siyuan-note/siyuan/kernel
• Published: Dec 12, 2024
• Unreviewed

SiYuan has an SSTI via /api/template/renderSprig in github.com/siyuan-note/siyuan/kernel

• CVE-2024-55658, GHSA-25w9-wqfq-gwqx
• Affects: github.com/siyuan-note/siyuan/kernel
• Published: Dec 12, 2024
• Unreviewed

SiYuan has an arbitrary file read and path traversal via /api/export/exportResources in github.com/siyuan-note/siyuan/kernel

• CVE-2024-45337, GHSA-v778-237x-gjrc
• Affects: golang.org/x/crypto
• Published: Dec 11, 2024
• Modified: Dec 12, 2024

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.

• GHSA-vmg2-r3xv-r3xf
• Affects: github.com/CosmWasm/wasmd
• Published: Dec 10, 2024
• Unreviewed

Simulation of Wasmd message can cause crashing in github.com/CosmWasm/wasmd

• CVE-2024-46455
• Affects: github.com/Unstructured-IO/unstructured
• Published: Dec 10, 2024
• Unreviewed

CVE-2024-46455 in github.com/Unstructured-IO/unstructured

• CVE-2024-55601, GHSA-c2xf-9v2r-r2rx
• Affects: github.com/gohugoio/hugo
• Published: Dec 10, 2024
• Modified: Dec 13, 2024

Hugo does not escape some attributes in internal templates in github.com/gohugoio/hugo

• CVE-2024-6219, GHSA-jpmc-7p9c-4rxf
• Affects: github.com/canonical/lxd
• Published: Dec 09, 2024
• Modified: Dec 11, 2024

Restricted TLS certificate privilege escalation when in PKI mode in github.com/canonical/lxd

• CVE-2024-6156, GHSA-4c49-9fpc-hc3v
• Affects: github.com/canonical/lxd
• Published: Dec 09, 2024
• Modified: Dec 11, 2024

CA certificate sign check bypass in github.com/canonical/lxd

• CVE-2024-36620, GHSA-q59j-vv4j-v33c
• Affects: github.com/moby/moby
• Published: Dec 09, 2024
• Unreviewed

NULL Pointer Dereference on moby image history in github.com/moby/moby

• CVE-2024-54132, GHSA-2m9h-r57g-45pj
• Affects: github.com/cli/cli, github.com/cli/cli/v2
• Published: Dec 04, 2024
• Unreviewed

Downloading malicious GitHub Actions workflow artifact results in path traversal vulnerability in github.com/cli/cli

• CVE-2024-54131, GHSA-66q9-2rvx-qfj5
• Affects: github.com/kolide/launcher
• Published: Dec 04, 2024
• Unreviewed

Kolide Agent Privilege Escalation (Windows, Versions >= 1.5.3, < 1.12.3) in github.com/kolide/launcher

• CVE-2024-50948
• Affects: github.com/mochi-mqtt/server
• Published: Dec 04, 2024
• Unreviewed

CVE-2024-50948 in github.com/mochi-mqtt/server

• CVE-2024-53257, GHSA-7mwh-q3xm-qh6p
• Affects: vitess.io/vitess
• Published: Dec 12, 2024

Vitess allows HTML injection in /debug/querylogz and /debug/env in vitess.io/vitess

• CVE-2024-36623, GHSA-gh5c-3h97-2f3q
• Affects: github.com/moby/moby
• Published: Dec 04, 2024
• Unreviewed

Moby Race Condition vulnerability in github.com/moby/moby

• CVE-2024-36621, GHSA-2mj3-vfvx-fc43
• Affects: github.com/moby/moby
• Published: Dec 04, 2024
• Unreviewed

Moby Race Condition vulnerability in github.com/moby/moby

• CVE-2024-53862
• Affects: github.com/argoproj/argo-workflows, github.com/argoproj/argo-workflows/v2, and 1 more
• Published: Dec 02, 2024
• Unreviewed

Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode in github.com/argoproj/argo-workflows

• CVE-2024-53259, GHSA-px8v-pp82-rcvr
• Affects: github.com/quic-go/quic-go
• Published: Dec 04, 2024
• Modified: Dec 12, 2024

ICMP Packet Too Large Injection Attack on Linux in github.com/quic-go/quic-go

• CVE-2024-52801, GHSA-6943-qr24-82vx
• Affects: github.com/drakkan/sftpgo, github.com/drakkan/sftpgo/v2
• Published: Dec 02, 2024
• Unreviewed

sftpgo vulnerable to brute force takeover of OpenID Connect session cookies in github.com/drakkan/sftpgo

• CVE-2024-52003, GHSA-h924-8g65-j9wg
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Dec 02, 2024
• Unreviewed

Traefik's X-Forwarded-Prefix Header still allows for Open Redirect in github.com/traefik/traefik

• CVE-2024-53858, GHSA-jwcm-9g39-pmcw
• Affects: github.com/cli/cli, github.com/cli/cli/v2
• Published: Dec 02, 2024
• Unreviewed

Recursive repository cloning can leak authentication tokens to non-GitHub submodule hosts in github.com/cli/cli

• CVE-2024-53859, GHSA-55v3-xh23-96gh
• Affects: github.com/cli/go-gh, github.com/cli/go-gh/v2
• Published: Dec 12, 2024

Violation of GitHub host security boundary when sourcing authentication token within a codespace in github.com/cli/go-gh

• CVE-2024-53264
• Affects: github.com/bunkerity/bunkerweb
• Published: Dec 02, 2024
• Unreviewed

Open Redirect Vulnerability in Loading Page in bunkerweb in github.com/bunkerity/bunkerweb

• Affects: goyave.dev/goyave/v5
• Published: Dec 13, 2024

Static file serving using router.Static and osfs.FS allows clients to access any file on the host file system using relative paths because the requested path is not sanitized and . and .. segments are accepted. The files will be returned as a response, provided the system user running the Go application has read access to the requested file. As a workaround, use fsutil.NewEmbed(embeddedFS) from the goyave.dev/goyave/v5/util/fsutil package to serve static content using Router.Static instead of &osfs.FS. Embedded file systems are rooted to the specified directory, making it impossible to navigate outside of the developers' intended directory.

• CVE-2024-8676, GHSA-7p9f-6x8j-gxxp
• Affects: github.com/cri-o/cri-o
• Published: Dec 04, 2024
• Unreviewed

CRI-O: Maliciously structured checkpoint file can gain arbitrary node access in github.com/cri-o/cri-o

• CVE-2024-43784, GHSA-hh33-46q4-hwm2
• Affects: github.com/treeverse/lakefs
• Published: Nov 27, 2024
• Unreviewed

Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to its deletion in github.com/treeverse/lakefs

• CVE-2024-52529, GHSA-xg58-75qf-9r67
• Affects: github.com/cilium/cilium
• Published: Nov 27, 2024
• Unreviewed

Cilium's Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in github.com/cilium/cilium

• CVE-2024-6538, GHSA-v3w7-g6p2-mpx7
• Affects: github.com/openshift/console
• Published: Nov 27, 2024
• Unreviewed

OpenShift Console Server Side Request Forgery vulnerability in github.com/openshift/console

• GHSA-7f6p-phw2-8253
• Affects: github.com/taurusgroup/multi-party-sig
• Published: Nov 27, 2024
• Unreviewed

Taurus multi-party-sig has OT-based ECDSA protocol implementation flaws in github.com/taurusgroup/multi-party-sig

• CVE-2024-45719, GHSA-mr95-vfcf-fx9p
• Affects: github.com/apache/incubator-answer
• Published: Nov 27, 2024
• Unreviewed

Apache Answer: Predictable Authorization Token Using UUIDv1 in github.com/apache/incubator-answer

• CVE-2024-10220, GHSA-27wf-5967-98gx
• Affects: k8s.io/kubernetes
• Published: Nov 27, 2024
• Modified: Dec 13, 2024

Kubernetes kubelet arbitrary command execution in k8s.io/kubernetes

• CVE-2024-37820, GHSA-9g6g-xqv5-8g5w
• Affects: github.com/pingcap/tidb
• Published: Nov 27, 2024
• Unreviewed

PingCAP TiDB nil pointer dereference in github.com/pingcap/tidb. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/pingcap/tidb before v8.2.0.

• CVE-2024-52309
• Affects: github.com/drakkan/sftpgo, github.com/drakkan/sftpgo/v2
• Published: Nov 21, 2024
• Unreviewed

SFTPGo allows administrators to restrict command execution from the EventManager in github.com/drakkan/sftpgo

• CVE-2024-12401, GHSA-r4pg-vg54-wxx4
• Affects: github.com/cert-manager/cert-manager
• Published: Nov 21, 2024
• Modified: Dec 12, 2024

Potential slowdown / DoS when parsing specially crafted PEM inputs in github.com/cert-manager/cert-manager

• CVE-2024-52280, GHSA-j5hq-5jcr-xwx7
• Affects: github.com/rancher/steve
• Published: Nov 21, 2024
• Unreviewed

github.com/rancher/steve's users can issue watch commands for arbitrary resources in github.com/rancher/steve

• CVE-2024-52282, GHSA-9c5p-35gj-jqp4
• Affects: github.com/rancher/rancher
• Published: Nov 21, 2024
• Unreviewed

Rancher Helm Applications may have sensitive values leaked in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.8.0 before v2.8.10, from v2.9.0 before v2.9.4.

• GHSA-7225-m954-23v7
• Affects: cosmossdk.io/math
• Published: Nov 21, 2024
• Modified: Dec 12, 2024

Mismatched bit-length validation in can lead to panic in cosmossdk.io/math

• CVE-2024-9526
• Affects: github.com/kubeflow/pipelines
• Published: Nov 19, 2024
• Unreviewed

Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines

• CVE-2024-0793, GHSA-h7wq-jj8r-qm7p
• Affects: k8s.io/kubernetes
• Published: Nov 19, 2024
• Unreviewed

Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes

• CVE-2024-44625, GHSA-phm4-wf3h-pc3r
• Affects: gogs.io/gogs
• Published: Nov 19, 2024
• Unreviewed

Unpatched Remote Code Execution in Gogs in gogs.io/gogs

• CVE-2023-0109, GHSA-5r2g-59px-3q9w
• Affects: github.com/usememos/memos
• Published: Nov 19, 2024
• Unreviewed

Stored XSS using two files in usememos/memos in github.com/usememos/memos

• CVE-2024-24426
• Affects: github.com/magma/magma
• Published: Nov 19, 2024
• Unreviewed

CVE-2024-24426 in github.com/magma/magma

• CVE-2024-24425
• Affects: github.com/magma/magma
• Published: Nov 19, 2024
• Unreviewed

CVE-2024-24425 in github.com/magma/magma

• CVE-2024-52522
• Affects: github.com/rclone/rclone
• Published: Nov 19, 2024
• Unreviewed

Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata in github.com/rclone/rclone

• CVE-2024-52308, GHSA-p2h2-3vg9-4p87
• Affects: github.com/cli/cli, github.com/cli/cli/v2
• Published: Nov 19, 2024
• Unreviewed

Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli

• CVE-2022-31668, GHSA-r864-28pw-8682
• Affects: github.com/goharbor/harbor
• Published: Dec 12, 2024

Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.

• CVE-2024-52010, GHSA-7hpf-g48v-hw3j
• Affects: github.com/tobychui/zoraxy
• Published: Nov 19, 2024
• Unreviewed

Zoraxy has an authenticated command injection in the Web SSH feature in github.com/tobychui/zoraxy. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

• CVE-2024-52009, GHSA-gppm-hq3p-h4rp
• Affects: github.com/runatlantis/atlantis
• Published: Nov 20, 2024
• Modified: Dec 12, 2024

Git credentials are exposed in Atlantis logs in github.com/runatlantis/atlantis

• CVE-2024-10975, GHSA-2w5v-x29g-jw7j
• Affects: github.com/hashicorp/nomad
• Published: Nov 08, 2024
• Unreviewed

Hashicorp Nomad Incorrect Authorization vulnerability in github.com/hashicorp/nomad

• CVE-2024-45794, GHSA-q78v-cv36-8fxj
• Affects: github.com/devtron-labs/devtron
• Published: Nov 08, 2024
• Unreviewed

Devtron has SQL Injection in CreateUser API in github.com/devtron-labs/devtron

• GHSA-p7mv-53f2-4cwj
• Affects: github.com/cometbft/cometbft
• Published: Nov 20, 2024
• Modified: Dec 12, 2024

CometBFT Vote Extensions: Panic when receiving a Pre-commit with an invalid data in github.com/cometbft/cometbft

• CVE-2024-51735, GHSA-wvv7-wm5v-w2gv
• Affects: github.com/j3ssie/osmedeus
• Published: Nov 06, 2024
• Unreviewed

Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE in github.com/j3ssie/osmedeus

• CVE-2024-48057, GHSA-ghx4-cgxw-7h9p
• Affects: github.com/mudler/LocalAI
• Published: Nov 06, 2024
• Unreviewed

LocalAI Cross-site Scripting vulnerability in github.com/mudler/LocalAI

• CVE-2024-51746, GHSA-8pmp-678w-c8xx
• Affects: github.com/sigstore/gitsign
• Published: Nov 06, 2024
• Unreviewed

gitsign may use incorrect Rekor entries during verification in github.com/sigstore/gitsign

• CVE-2024-10389, GHSA-q3rp-vvm7-j8jg
• Affects: github.com/google/safearchive
• Published: Nov 06, 2024
• Unreviewed

Safearchive Path Traversal vulnerability in github.com/google/safearchive

• CVE-2024-51744, GHSA-29wx-vh33-7x7r
• Affects: github.com/golang-jwt/jwt/v4
• Published: Nov 12, 2024
• Modified: Nov 12, 2024

Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt

• CVE-2024-46528, GHSA-p26r-gfgc-c47h
• Affects: github.com/kubesphere/kubesphere
• Published: Dec 12, 2024

An Insecure Direct Object Reference (IDOR) vulnerability in KubeSphere allows low-privileged authenticated attackers to access sensitive resources without proper authorization checks. NOTE: A fix is expected in v4.1.3 in January 2025.

• CVE-2024-8185, GHSA-g233-2p4r-3q7v
• Affects: github.com/hashicorp/vault
• Published: Nov 01, 2024
• Unreviewed

Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault

• CVE-2024-39720, GHSA-95j2-w8x7-hm88
• Affects: github.com/ollama/ollama
• Published: Nov 01, 2024
• Modified: Dec 12, 2024

Ollama Out-of-bounds Read in github.com/ollama/ollama

• CVE-2024-50354, GHSA-cph5-3pgr-c82g
• Affects: github.com/consensys/gnark
• Published: Nov 01, 2024
• Modified: Feb 06, 2025

Gnark out-of-memory during deserialization with crafted inputs in github.com/consensys/gnark

• CVE-2024-10005, GHSA-chgm-7r52-whjj
• Affects: github.com/hashicorp/consul
• Published: Nov 04, 2024
• Unreviewed

Hashicorp Consul Path Traversal vulnerability in github.com/hashicorp/consul

• CVE-2024-10086, GHSA-99wr-c2px-grmh
• Affects: github.com/hashicorp/consul
• Published: Nov 04, 2024
• Unreviewed

Hashicorp Consul Cross-site Scripting vulnerability in github.com/hashicorp/consul

• CVE-2024-10006, GHSA-5c4w-8hhh-3c3h
• Affects: github.com/hashicorp/consul
• Published: Nov 04, 2024
• Unreviewed

Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability in github.com/hashicorp/consul

• CVE-2024-10452, GHSA-66c4-2g2v-54qw
• Affects: github.com/grafana/grafana
• Published: Nov 04, 2024
• Unreviewed

Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

• CVE-2024-0132, GHSA-mjjw-553x-87pq
• Affects: github.com/NVIDIA/nvidia-container-toolkit
• Published: Nov 04, 2024
• Unreviewed

NVIDIA Container Toolkit contains a Time-of-check Time-of-Use (TOCTOU) vulnerability in github.com/NVIDIA/nvidia-container-toolkit

• CVE-2024-0133, GHSA-f748-7hpg-88ch
• Affects: github.com/NVIDIA/nvidia-container-toolkit
• Published: Nov 04, 2024
• Unreviewed

NVIDIA Container Toolkit allows specially crafted container image to create empty files on the host file system in github.com/NVIDIA/nvidia-container-toolkit

• CVE-2024-50052, GHSA-g376-m3h3-mj4r
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Nov 04, 2024
• Unreviewed

Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server

• CVE-2024-47401, GHSA-762v-rq7q-ff97
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Nov 04, 2024
• Unreviewed

Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server

• CVE-2024-46872, GHSA-762g-9p7f-mrww
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Nov 04, 2024
• Unreviewed

Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server

• CVE-2024-10241, GHSA-6mvp-gh77-7vwh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Oct 30, 2024
• Unreviewed

Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server

• CVE-2024-48921, GHSA-qjvc-p88j-j9rm
• Affects: github.com/kyverno/kyverno
• Published: Oct 30, 2024
• Unreviewed

Kyverno's PolicyException objects can be created in any namespace by default in github.com/kyverno/kyverno

• GHSA-wcx9-ccpj-hx3c
• Affects: github.com/coder/coder, github.com/coder/coder/v2
• Published: Oct 30, 2024
• Unreviewed

Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder

• CVE-2024-10214, GHSA-hm57-h27x-599c
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Oct 30, 2024
• Unreviewed

Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server

• CVE-2024-47827, GHSA-ghjw-32xw-ffwr
• Affects: github.com/argoproj/argo-workflows, github.com/argoproj/argo-workflows/v2, and 1 more
• Published: Oct 30, 2024
• Unreviewed

Argo Workflows Controller: Denial of Service via malicious daemon Workflows in github.com/argoproj/argo-workflows

• CVE-2024-39223, GHSA-8wxx-35qc-vp6r
• Affects: github.com/ginuerzh/gost
• Published: Oct 28, 2024
• Unreviewed

Missing key verification in gost in github.com/ginuerzh/gost

• CVE-2022-45157, GHSA-xj7w-r753-vj8v
• Affects: github.com/rancher/rancher
• Published: Oct 28, 2024
• Unreviewed

Exposure of vSphere's CPI and CSI credentials in Rancher in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.8.9, from v2.9.0 before v2.9.3.

• GHSA-x7xj-jvwp-97rv
• Affects: github.com/rancher/rke2
• Published: Oct 28, 2024
• Unreviewed

RKE2 allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rke2. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rke2 from v1.27.0 before v1.27.15, from v1.28.0 before v1.28.11, from v1.29.0 before v1.29.6, from v1.30.0 before v1.30.2.

• CVE-2024-22036, GHSA-h99m-6755-rgwc
• Affects: github.com/rancher/rancher
• Published: Oct 28, 2024
• Unreviewed

Rancher Remote Code Execution via Cluster/Node Drivers in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.16, from v2.8.0 before v2.8.9, from v2.9.0 before v2.9.3.

• CVE-2023-32197, GHSA-7h8m-pvw3-5gh4
• Affects: github.com/rancher/rancher
• Published: Oct 28, 2024
• Unreviewed

Rancher allows privilege escalation in Windows nodes due to Insecure Access Control Lists in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.8.9, from v2.9.0 before v2.9.3.

• GHSA-7h65-4p22-39j6
• Affects: github.com/crossplane/crossplane
• Published: Oct 28, 2024
• Unreviewed

github.com/crossplane/crossplane: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

• CVE-2023-26248, GHSA-mqr9-hjr8-2m9w
• Affects: github.com/libp2p/go-libp2p-kad-dht
• Published: Dec 12, 2024

Content Censorship in the InterPlanetary File System (IPFS) via Kademlia DHT abuse in github.com/libp2p/go-libp2p-kad-dht

• CVE-2024-49757, GHSA-3rmw-76m6-4gjc
• Affects: github.com/zitadel/zitadel
• Published: Oct 28, 2024
• Unreviewed

User Registration Bypass in Zitadel in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.58.7, from v2.59.0 before v2.59.5, from v2.60.0 before v2.60.4, from v2.61.0 before v2.61.4, from v2.62.0 before v2.62.7, from v2.63.0 before v2.63.5.

• CVE-2024-49753, GHSA-6cf5-w9h3-4rqv
• Affects: github.com/zitadel/zitadel
• Published: Oct 28, 2024
• Unreviewed

Denied Host Validation Bypass in Zitadel Actions in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.58.7, from v2.59.0 before v2.59.5, from v2.60.0 before v2.60.4, from v2.61.0 before v2.61.4, from v2.62.0 before v2.62.8, from v2.63.0 before v2.63.6, from v2.64.0 before v2.64.1.

• CVE-2024-9264, GHSA-q99m-qcv4-fpm7
• Affects: github.com/grafana/grafana
• Published: Oct 28, 2024
• Unreviewed

Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v11.0.0 before v11.0.6+security-01, from v11.1.0 before v11.1.7+security-01, from v11.2.0 before v11.2.2+security-01.

• CVE-2024-49381
• Affects: github.com/plentico/plenti
• Published: Oct 28, 2024
• Unreviewed

Plenti arbitrary file deletion vulnerability in github.com/plentico/plenti

• CVE-2024-49380
• Affects: github.com/plentico/plenti
• Published: Oct 28, 2024
• Unreviewed

Plenti arbitrary file write vulnerability in github.com/plentico/plenti

• GHSA-rjfv-pjvx-mjgv
• Affects: sigs.k8s.io/aws-load-balancer-controller
• Published: Oct 28, 2024
• Unreviewed

AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers in sigs.k8s.io/aws-load-balancer-controller. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: sigs.k8s.io/aws-load-balancer-controller from v2.0.0 before v2.8.2.

• CVE-2024-50312
• Affects: github.com/openshift/console
• Published: Oct 28, 2024
• Unreviewed

Graphql: information disclosure via graphql introspection in openshift in github.com/openshift/console

• CVE-2024-8901
• Affects: github.com/awslabs/aws-alb-route-directive-adapter-for-istio
• Published: Oct 28, 2024
• Unreviewed

Lack of JWT issuer and signer validation in github.com/awslabs/aws-alb-route-directive-adapter-for-istio

• CVE-2024-47825, GHSA-3wwx-63fv-pfq6
• Affects: github.com/cilium/cilium
• Published: Oct 28, 2024
• Unreviewed

Cilium's CIDR deny policies may not take effect when a more narrow CIDR allow is present in github.com/cilium/cilium

• GHSA-p5wf-cmr4-xrwr
• Affects: github.com/facebookincubator/tacquito
• Published: Oct 28, 2024
• Unreviewed

Permissive Regular Expression in tacquito in github.com/facebookincubator/tacquito

• CVE-2024-44337, GHSA-xhr3-wf7j-h255
• Affects: github.com/gomarkdown/markdown
• Published: Dec 12, 2024

Infinite loop in github.com/gomarkdown/markdown

• CVE-2024-9594
• Affects: github.com/kubernetes-sigs/image-builder
• Published: Oct 17, 2024
• Unreviewed

VM images built with Image Builder with some providers use default credentials during builds in github.com/kubernetes-sigs/image-builder

• CVE-2024-9486
• Affects: github.com/kubernetes-sigs/image-builder
• Published: Oct 17, 2024
• Unreviewed

VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder

• CVE-2023-22644
• Affects: github.com/neuvector/neuvector
• Published: Oct 15, 2024
• Unreviewed

JWT token compromise can allow malicious actions including Remote Code Execution (RCE) in github.com/neuvector/neuvector

• CVE-2024-48909, GHSA-3c32-4hq9-6wgj
• Affects: github.com/authzed/spicedb
• Published: Oct 15, 2024
• Unreviewed

SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not in github.com/authzed/spicedb

• GHSA-vv6c-69r6-chg9
• Affects: github.com/landlock-lsm/go-landlock
• Published: Oct 15, 2024
• Unreviewed

Go-Landlock in best-effort mode did not restrict TCP bind and connect operations correctly in github.com/landlock-lsm/go-landlock. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

• CVE-2024-47877, GHSA-8rm2-93mq-jqhc
• Affects: github.com/codeclysm/extract, github.com/codeclysm/extract/v3, and 1 more
• Published: Oct 15, 2024
• Unreviewed

Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory. in github.com/codeclysm/extract

• CVE-2024-9180, GHSA-rr8j-7w34-xp5j
• Affects: github.com/hashicorp/vault
• Published: Oct 11, 2024
• Unreviewed

Vault Community Edition privilege escalation vulnerability in github.com/hashicorp/vault

• CVE-2024-47067, GHSA-8pph-gfhp-w226
• Affects: github.com/alist-org/alist, github.com/alist-org/alist/v3
• Published: Oct 11, 2024
• Unreviewed

Alist reflected Cross-Site Scripting vulnerability in github.com/alist-org/alist

• CVE-2024-38365, GHSA-27vh-h6mc-q6g8
• Affects: github.com/btcsuite/btcd
• Published: Oct 15, 2024
• Modified: Oct 17, 2024

The btcd Bitcoin client (versions 0.10 to 0.24) did not correctly re-implement Bitcoin Core's 'FindAndDelete()' functionality, causing discrepancies in the validation of Bitcoin blocks. This can lead to a chain split (accepting an invalid block) or Denial of Service (DoS) attacks (rejecting a valid block). An attacker can trigger this vulnerability by constructing a 'standard' Bitcoin transaction that exhibits different behaviors in 'FindAndDelete()' and 'removeOpcodeByData()'.

• CVE-2024-9312, GHSA-4gfw-wf7c-w6g2
• Affects: github.com/ubuntu/authd
• Published: Oct 11, 2024
• Modified: Jan 29, 2025

Authd allows attacker-controlled usernames to yield controllable UIDs in github.com/ubuntu/authd

• CVE-2024-9675, GHSA-586p-749j-fhwp
• Affects: github.com/containers/buildah
• Published: Oct 11, 2024
• Modified: Dec 12, 2024

Buildah allows arbitrary directory mount in github.com/containers/buildah

• CVE-2024-47832
• Affects: github.com/ssoready/ssoready
• Published: Oct 11, 2024
• Unreviewed

XML Signature Bypass via differential XML parsing in ssoready in github.com/ssoready/ssoready

• CVE-2024-36814, GHSA-9cp9-8gw2-8v7m
• Affects: github.com/AdguardTeam/AdGuardHome
• Published: Oct 11, 2024
• Unreviewed

Adguard Home arbitrary file read vulnerability in github.com/AdguardTeam/AdGuardHome

• GHSA-wpr2-j6gr-pjw9
• Affects: github.com/opentofu/opentofu
• Published: Oct 09, 2024
• Unreviewed

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu

• CVE-2024-9313, GHSA-x5q3-c8rm-w787
• Affects: github.com/ubuntu/authd
• Published: Oct 09, 2024
• Modified: Jan 29, 2025

PAM module may allow accessing with the credentials of another user in github.com/ubuntu/authd

• CVE-2024-47616, GHSA-r7rh-jww5-5fjr
• Affects: github.com/pomerium/pomerium
• Published: Oct 09, 2024
• Unreviewed

Pomerium service account access token may grant unintended access to databroker API in github.com/pomerium/pomerium

• CVE-2024-8038, GHSA-xwgj-vpm9-q2rq
• Affects: github.com/juju/juju
• Published: Oct 09, 2024
• Unreviewed

Vulnerable juju introspection abstract UNIX domain socket in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju before v0.0.0-20240829052008-43f0fc59790d.

• CVE-2024-8037, GHSA-8v4w-f4r9-7h6x
• Affects: github.com/juju/juju
• Published: Oct 09, 2024
• Unreviewed

Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju

• CVE-2024-7558, GHSA-mh98-763h-m9v4
• Affects: github.com/juju/juju
• Published: Oct 09, 2024
• Unreviewed

JUJU_CONTEXT_ID is a predictable authentication secret in github.com/juju/juju

• CVE-2024-33662, GHSA-9mjw-79r6-c9m8
• Affects: github.com/portainer/portainer
• Published: Oct 09, 2024
• Unreviewed

Portainer improperly uses an encryption algorithm in the AesEncrypt function in github.com/portainer/portainer. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/portainer/portainer before v2.20.2.

• CVE-2024-9341, GHSA-mc76-5925-c5p6
• Affects: github.com/containers/common
• Published: Oct 14, 2024
• Unreviewed

Link Following in github.com/containers/common

• CVE-2024-8996, GHSA-m5gv-m5f9-wgv4
• Affects: github.com/grafana/agent
• Published: Oct 09, 2024
• Unreviewed

Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/agent

• CVE-2024-9407, GHSA-fhqq-8f65-5xfc
• Affects: github.com/containers/buildah, github.com/containers/podman, and 4 more
• Published: Oct 09, 2024
• Modified: Dec 12, 2024

Improper Input Validation in Buildah and Podman in github.com/containers/buildah

• CVE-2024-8975, GHSA-chqx-36rm-rf8h
• Affects: github.com/grafana/alloy
• Published: Oct 09, 2024
• Unreviewed

Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability in github.com/grafana/alloy

• CVE-2024-9355, GHSA-3h3x-2hwv-hr52
• Affects: github.com/golang-fips/openssl
• Published: Oct 09, 2024
• Modified: Nov 05, 2024

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

• CVE-2024-47534, GHSA-4f8r-qqr9-fq8j
• Affects: github.com/theupdateframework/go-tuf/v2
• Published: Oct 09, 2024
• Modified: Oct 14, 2024
• Unreviewed

Incorrect delegation lookups can make go-tuf download the wrong artifact in github.com/theupdateframework/go-tuf

• CVE-2024-47003, GHSA-59hf-mpf8-pqjh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Oct 10, 2024
• Unreviewed

Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server

• CVE-2024-47182
• Affects: github.com/amir20/dozzle
• Published: Oct 09, 2024
• Unreviewed

Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/amir20/dozzle before v8.5.3.

• CVE-2024-7594, GHSA-jg74-mwgw-v6x3
• Affects: github.com/hashicorp/vault
• Published: Oct 09, 2024
• Unreviewed

Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default in github.com/hashicorp/vault

• CVE-2024-22030, GHSA-h4h5-9833-v2p4
• Affects: github.com/rancher/rancher
• Published: Oct 09, 2024
• Unreviewed

Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.15, from v2.8.0 before v2.8.8, from v2.9.0 before v2.9.2.

• CVE-2024-45042, GHSA-wc43-73w7-x2f5
• Affects: github.com/ory/kratos
• Published: Sep 26, 2024
• Unreviewed

Ory Kratos's setting required_aal `highest_available` does not properly respect code + mfa credentials in github.com/ory/kratos

• CVE-2024-40761, GHSA-48cr-j2cx-mcr8
• Affects: github.com/apache/incubator-answer
• Published: Sep 26, 2024
• Unreviewed

Apache Answer: Avatar URL leaked user email addresses in github.com/apache/incubator-answer

• CVE-2024-46957, GHSA-98hf-m87w-cq6h
• Affects: mellium.im/xmpp
• Published: Sep 26, 2024
• Unreviewed

Mellium allows Authentication Bypass by Spoofing in mellium.im/xmpp

• CVE-2024-47219
• Affects: github.com/vesoft-inc/nebula
• Published: Sep 26, 2024
• Unreviewed

CVE-2024-47219 in github.com/vesoft-inc/nebula

• CVE-2024-47218
• Affects: github.com/vesoft-inc/nebula
• Published: Sep 26, 2024
• Unreviewed

CVE-2024-47218 in github.com/vesoft-inc/nebula

• CVE-2024-47062, GHSA-58vj-cv5w-v4v6
• Affects: github.com/navidrome/navidrome
• Published: Sep 26, 2024
• Unreviewed

Navidrome has Multiple SQL Injections and ORM Leak in github.com/navidrome/navidrome

• CVE-2024-8260, GHSA-c77r-fh37-x2px
• Affects: github.com/open-policy-agent/opa
• Published: Sep 20, 2024

OPA for Windows has an SMB force-authentication vulnerability. Due to improper input validation, it allows a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

• CVE-2024-8986, GHSA-xxxw-3j6h-q7h6
• Affects: github.com/grafana/grafana-plugin-sdk-go
• Published: Nov 20, 2024
• Modified: Dec 12, 2024

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running "git remote get-url origin". If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

• CVE-2024-47000, GHSA-qr2h-7pwm-h393
• Affects: github.com/zitadel/zitadel
• Published: Sep 26, 2024
• Unreviewed

ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

• CVE-2024-47060, GHSA-jj94-6f5c-65r8
• Affects: github.com/zitadel/zitadel
• Published: Sep 26, 2024
• Unreviewed

ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

• CVE-2024-46999, GHSA-2w5j-qfvw-2hf5
• Affects: github.com/zitadel/zitadel
• Published: Sep 26, 2024
• Unreviewed

ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.54.10, from v2.55.0 before v2.55.8, from v2.56.0 before v2.56.6, from v2.57.0 before v2.57.5, from v2.58.0 before v2.58.5, from v2.59.0 before v2.59.3, from v2.60.0 before v2.60.2, from v2.61.0 before v2.61.1, from v2.62.0 before v2.62.1.

• CVE-2023-27584, GHSA-hpc8-7wpm-889w
• Affects: d7y.io/dragonfly/v2
• Published: Sep 26, 2024
• Unreviewed

Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly

• CVE-2024-45410, GHSA-62c8-mh53-4cqv
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Sep 26, 2024
• Unreviewed

HTTP client can manipulate custom HTTP headers that are added by Traefik in github.com/traefik/traefik

• CVE-2023-30464, GHSA-h92q-fgpp-qhrq
• Affects: github.com/coredns/coredns
• Published: Sep 25, 2024
• Modified: Sep 26, 2024

CoreDNS enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.

• CVE-2023-47105, GHSA-723h-x37g-f8qm
• Affects: github.com/chaosblade-io/chaosblade
• Published: Sep 25, 2024
• Unreviewed

Chaosblade vulnerable to OS command execution in github.com/chaosblade-io/chaosblade

• CVE-2024-46989, GHSA-jhg6-6qrx-38mr
• Affects: github.com/authzed/spicedb
• Published: Sep 25, 2024
• Unreviewed

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb

• CVE-2023-28452, GHSA-hfmw-7g3m-gj6q
• Affects: github.com/coredns/coredns
• Published: Sep 25, 2024
• Unreviewed

CoreDNS vulnerable to TuDoor Attacks in github.com/coredns/coredns

• CVE-2024-7387, GHSA-qqv8-ph7f-h3f7
• Affects: github.com/openshift/builder
• Published: Sep 18, 2024
• Unreviewed

OpenShift Builder has a path traversal, allows command injection in privileged BuildContainer in github.com/openshift/builder

• CVE-2024-45496, GHSA-j8gh-87rx-c7w9
• Affects: github.com/openshift/openshift-controller-manager
• Published: Sep 18, 2024
• Unreviewed

OpenShift Controller Manager Improper Privilege Management in github.com/openshift/openshift-controller-manager. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/openshift/openshift-controller-manager before v0.0.0-alpha.0.0.20240911.

• CVE-2024-45041, GHSA-qwgc-rr35-h4x9
• Affects: github.com/external-secrets/external-secrets
• Published: Sep 13, 2024
• Unreviewed

External Secrets Operator vulnerable to privilege escalation in github.com/external-secrets/external-secrets

• CVE-2024-8572, GHSA-pv7h-hg6m-82j8
• Affects: github.com/gouniverse/cms
• Published: Sep 13, 2024
• Unreviewed

Gouniverse GoLang CMS vulnerable to Cross-site Scripting in github.com/gouniverse/cms

• CVE-2023-46565, GHSA-6rqv-5cg7-m4x3
• Affects: github.com/osrg/gobgp/v3
• Published: Sep 17, 2024

Buffer Overflow vulnerability allows a remote attacker to cause a denial of service via an fsm error handling function.

• CVE-2024-45040, GHSA-9xcg-3q8v-7fq6
• Affects: github.com/consensys/gnark
• Published: Sep 13, 2024

Commitments to private witnesses in Groth16 as implemented break zero-knowledge property in github.com/consensys/gnark

• CVE-2024-45039, GHSA-q3hw-3gm4-w5cr
• Affects: github.com/consensys/gnark
• Published: Nov 20, 2024
• Modified: Dec 12, 2024

Groth16 commitment extension unsound for more than one commitment in github.com/consensys/gnark

• GHSA-7q74-g774-7x3g
• Affects: github.com/cosmos/interchain-security, github.com/cosmos/interchain-security/v2, and 3 more
• Published: Sep 06, 2024
• Unreviewed

Interchain Security: The signers of ICS messages do not need to match the provider address in github.com/cosmos/interchain-security

• CVE-2024-45401, GHSA-fv4g-gwpj-74gr
• Affects: github.com/stripe/stripe-cli
• Published: Sep 06, 2024
• Unreviewed

Path traversal vulnerability in stripe-cli in github.com/stripe/stripe-cli

• CVE-2024-8462
• Affects: github.com/windmill-labs/windmill
• Published: Sep 06, 2024
• Unreviewed

Windmill HTTP Request users.rs excessive authentication in github.com/windmill-labs/windmill

• CVE-2024-45395, GHSA-cq38-jh5f-37mq
• Affects: github.com/sigstore/sigstore-go
• Published: Sep 06, 2024
• Unreviewed

sigstore-go has an unbounded loop over untrusted input can lead to endless data attack in github.com/sigstore/sigstore-go

• CVE-2024-43405, GHSA-7h5p-mmpp-hgmm
• Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
• Published: Sep 06, 2024
• Unreviewed

Nuclei Template Signature Verification Bypass in github.com/projectdiscovery/nuclei

• CVE-2024-8365, GHSA-jjxf-26c9-77gm
• Affects: github.com/hashicorp/vault
• Published: Sep 06, 2024
• Unreviewed

Vault Leaks Client Token and Token Accessor in Audit Devices in github.com/hashicorp/vault

• GHSA-g5xx-c4hv-9ccc
• Affects: github.com/cometbft/cometbft
• Published: Sep 13, 2024

CometBFT's state syncing validator from malicious node may lead to a chain split github.com/cometbft/cometbft

• CVE-2024-45310, GHSA-jfvp-7x6p-h2pv
• Affects: github.com/opencontainers/runc
• Published: Sep 06, 2024
• Unreviewed

runc can be confused to create empty files/directories on the host in github.com/opencontainers/runc

• CVE-2024-43803, GHSA-pqfh-xh7w-7h3p
• Affects: github.com/metal3-io/baremetal-operator
• Published: Dec 20, 2024
• Unreviewed

The Bare Metal Operator (BMO) can expose particularly named secrets from other namespaces via BMH CRD in github.com/metal3-io/baremetal-operator

• CVE-2024-45388, GHSA-6xx4-x46f-f897
• Affects: github.com/SpectoLabs/hoverfly
• Published: Sep 06, 2024
• Unreviewed

Hoverfly allows an arbitrary file read in the `/api/v2/simulation` endpoint (`GHSL-2023-274`) in github.com/SpectoLabs/hoverfly

• CVE-2024-34158
• Affects: go/build/constraint
• Published: Sep 06, 2024

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

• CVE-2024-34156
• Affects: encoding/gob
• Published: Sep 06, 2024

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

• CVE-2024-34155
• Affects: go/parser
• Published: Sep 06, 2024

Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

• CVE-2024-45436, GHSA-846m-99qv-67mg
• Affects: github.com/ollama/ollama
• Published: Aug 30, 2024
• Modified: Dec 12, 2024

Ollama can extract members of a ZIP archive outside of the parent directory in github.com/ollama/ollama

• CVE-2024-45054, GHSA-mgwr-h7mv-fh29
• Affects: github.com/hwameistor/hwameistor
• Published: Aug 30, 2024
• Unreviewed

Hwameistor Potential Permission Leakage of Cluster Level in github.com/hwameistor/hwameistor

• CVE-2024-45043, GHSA-prf6-xjxh-p698
• Affects: github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver
• Published: Aug 30, 2024
• Unreviewed

OpenTelemetry Collector module AWS Firehose Receiver Authentication Bypass Vulnerability in github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awsfirehosereceiver

• GHSA-75qh-gg76-p2w4
• Affects: github.com/CosmWasm/wasmvm
• Published: Dec 20, 2024
• Modified: Dec 20, 2024

A specifically crafted Wasm file can cause the VM to consume excessive amounts of memory when compiling a contract. This can lead to high memory usage, slowdowns, potentially a crash and can poison a lock in the VM, preventing any further interaction with contracts.

• CVE-2024-43798, GHSA-38jh-8h67-m7mj
• Affects: github.com/jpillora/chisel
• Published: Aug 30, 2024
• Unreviewed

Chisel's AUTH environment variable not respected in server entrypoint in github.com/jpillora/chisel

• CVE-2024-45244, GHSA-48gg-32q2-4r6m
• Affects: github.com/hyperledger/fabric
• Published: Aug 30, 2024
• Unreviewed

Hyperledger Fabric does not verify request has a timestamp within the expected time window in github.com/hyperledger/fabric

• CVE-2024-45258, GHSA-cj55-gc7m-wvcq
• Affects: github.com/imroc/req, github.com/imroc/req/v2, and 1 more
• Published: Sep 13, 2024

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in applications relying on this library for handling HTTP requests. Despite developers potentially utilizing the net/url library to parse malformed URLs and implement blocklists to prevent HTTP requests to listed URLs, inconsistencies exist between how the net/url and req libraries parse URLs. These discrepancies can lead to the failure of defensive strategies, resulting in potential security threats such as Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE).

• CVE-2024-40886, GHSA-hrf9-rm95-fpf3
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server

• CVE-2024-39836, GHSA-c6vp-jjgv-38wj
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server

• CVE-2024-43105, GHSA-869f-px86-vj84
• Affects: github.com/mattermost/mattermost-plugin-channel-export
• Published: Aug 30, 2024
• Unreviewed

Mattermost Plugin Channel Export excessive resource consumption in github.com/mattermost/mattermost-plugin-channel-export

• CVE-2024-8071, GHSA-5263-pm2h-m7hw
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server

• CVE-2024-32939, GHSA-4ww8-fprq-cq34
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server

• CVE-2024-39777, GHSA-q22q-2rrf-m27p
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server

• CVE-2024-42497, GHSA-fxq9-6946-34q7
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server

• CVE-2024-40884, GHSA-3j95-8g47-fpwh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server

• CVE-2024-43780, GHSA-2jhx-w3vc-w59g
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 30, 2024
• Unreviewed

Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server

• CVE-2024-41659, GHSA-p4fx-qf2h-jpmj
• Affects: github.com/usememos/memos
• Published: Aug 30, 2024
• Unreviewed

memos CORS Misconfiguration in server.go (GHSL-2024-034) in github.com/usememos/memos

• CVE-2024-41657, GHSA-mchx-7j67-8mcf
• Affects: github.com/casdoor/casdoor
• Published: Aug 30, 2024
• Unreviewed

Casdoor CORS misconfiguration (GHSL-2024-035) in github.com/casdoor/casdoor

• CVE-2024-41658, GHSA-gv2p-4mvg-g32h
• Affects: github.com/casdoor/casdoor
• Published: Aug 30, 2024
• Unreviewed

Casdoor has reflected XSS in QrCodePage.js (GHSL-2024-036) in github.com/casdoor/casdoor

• CVE-2024-42490, GHSA-qxqc-27pr-wgc8
• Affects: goauthentik.io
• Published: Aug 30, 2024
• Unreviewed

GoAuthentik vulnerable to Insufficient Authorization for several API endpoints in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: goauthentik.io before v2024.4.4, from v2024.6.0-rc1 before v2024.6.4.

• CVE-2024-6508, GHSA-4crf-28c7-v4gr
• Affects: github.com/openshift/console
• Published: Aug 30, 2024
• Unreviewed

Openshift Console insufficient entropy vulnerability in github.com/openshift/console

• GHSA-g8w7-7vgg-x7xg
• Affects: github.com/CosmWasm/wasmd
• Published: Aug 30, 2024
• Unreviewed

CWA-2024-005: Stackoverflow in wasmd in github.com/CosmWasm/wasmd

• GHSA-fpgj-cr28-fvpx
• Affects: github.com/CosmWasm/wasmd
• Published: Aug 30, 2024
• Unreviewed

CWA-2024-006: wasmd non-deterministic module_query_safe query in github.com/CosmWasm/wasmd

• CVE-2024-43403, GHSA-h27c-6xm3-mcqp
• Affects: github.com/kanisterio/kanister
• Published: Aug 22, 2024
• Unreviewed

Kanister vulnerable to cluster-level privilege escalation in github.com/kanisterio/kanister

• CVE-2024-6322, GHSA-hh8p-374f-qgr5
• Affects: github.com/grafana/grafana
• Published: Aug 22, 2024
• Unreviewed

Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v11.1.0 before v11.1.1, from v11.1.2 before v11.1.3.

• CVE-2024-43406, GHSA-r5ph-4jxm-6j9p
• Affects: github.com/lf-edge/ekuiper
• Published: Aug 22, 2024
• Unreviewed

LF Edge eKuiper has a SQL Injection in sqlKvStore in github.com/lf-edge/ekuiper

• CVE-2024-39690, GHSA-mq69-4j5w-3qwp
• Affects: github.com/projectcapsule/capsule
• Published: Aug 22, 2024
• Unreviewed

Capsule tenant owner with "patch namespace" permission can hijack system namespaces in github.com/projectcapsule/capsule

• CVE-2024-43379, GHSA-3r74-v83p-f4f4
• Affects: github.com/trufflesecurity/trufflehog, github.com/trufflesecurity/trufflehog/v3
• Published: Aug 22, 2024
• Unreviewed

Trufflehog vulnerable to Blind SSRF in some Detectors in github.com/trufflesecurity/trufflehog

• CVE-2024-7646
• Affects: github.com/kubernetes/ingress-nginx
• Published: Aug 19, 2024
• Unreviewed

CVE-2024-7646 in github.com/kubernetes/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/kubernetes/ingress-nginx before v1.11.2.

• CVE-2024-42486, GHSA-vwf8-q6fw-4wcm
• Affects: github.com/cilium/cilium
• Published: Aug 19, 2024
• Unreviewed

Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API in github.com/cilium/cilium

• CVE-2024-7625, GHSA-25qx-vfw2-fw8r
• Affects: github.com/hashicorp/nomad
• Published: Aug 19, 2024
• Unreviewed

Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/nomad from v0.6.1 before v1.6.14, from v1.7.0 before v1.7.11, from v1.8.0 before v1.8.3.

• CVE-2024-42488, GHSA-q7w8-72mr-vpgw
• Affects: github.com/cilium/cilium
• Published: Aug 16, 2024
• Unreviewed

Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

• CVE-2024-42487, GHSA-qcm3-7879-xcww
• Affects: github.com/cilium/cilium
• Published: Aug 16, 2024
• Unreviewed

Gateway API route matching order contradicts specification in github.com/cilium/cilium

• CVE-2024-32231, GHSA-75jf-52jg-qqh4
• Affects: github.com/stashapp/stash
• Published: Aug 16, 2024
• Modified: Aug 19, 2024
• Unreviewed

SQL injection in github.com/stashapp/stash

• GHSA-83qr-9v2h-qxp4
• Affects: github.com/cosmos/gaia/v14, github.com/cosmos/gaia/v15, and 2 more
• Published: Aug 19, 2024
• Unreviewed

Missing check for the height of cryptographic equivocation evidence in github.com/cosmos/gaia

• CVE-2024-42368, GHSA-rfxf-mf63-cpqv
• Affects: github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension
• Published: Aug 13, 2024
• Modified: Aug 19, 2024
• Unreviewed

open-telemetry has an Observable Timing Discrepancy in github.com/open-telemetry/opentelemetry-collector-contrib/extension/bearertokenauthextension

• CVE-2024-41888, GHSA-v3x9-wrq5-868j
• Affects: github.com/apache/incubator-answer
• Published: Aug 13, 2024
• Unreviewed

Apache Answer: The link for resetting user password is not Single-Use in github.com/apache/incubator-answer

• CVE-2024-41890, GHSA-gvpv-r32v-9737
• Affects: github.com/apache/incubator-answer
• Published: Aug 13, 2024
• Unreviewed

Apache Answer: The link to reset the user's password will remain valid after sending a new link in github.com/apache/incubator-answer

• CVE-2024-42480, GHSA-6r4j-4rjc-8vw5
• Affects: github.com/clastix/kamaji
• Published: Aug 13, 2024
• Unreviewed

RBAC Roles for `etcd` created by Kamaji are not disjunct in github.com/clastix/kamaji

• CVE-2024-42473, GHSA-3f6g-m4hr-59h8
• Affects: github.com/openfga/openfga
• Published: Aug 13, 2024
• Modified: Aug 15, 2024
• Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

• GHSA-m3rh-cvr5-x6q4
• Affects: github.com/CosmWasm/wasmd
• Published: Aug 13, 2024
• Unreviewed

CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd

• CVE-2024-41270, GHSA-p3pf-mff8-3h47
• Affects: github.com/appleboy/gorush
• Published: Aug 19, 2024

An issue in the RunHTTPServer function in Gorush allows attackers to intercept and manipulate data due to the use of a deprecated TLS version.

• CVE-2024-41260, GHSA-9v35-4xcr-w9ph
• Affects: github.com/netbirdio/netbird
• Published: Aug 13, 2024
• Unreviewed

NetBird uses a static initialization vector (IV) in github.com/netbirdio/netbird

• CVE-2024-6886, GHSA-4h4p-553m-46qh
• Affects: code.gitea.io/gitea
• Published: Aug 06, 2024
• Unreviewed

Gitea Cross-site Scripting Vulnerability in code.gitea.io/gitea

• CVE-2024-29191, GHSA-wv8x-3w6r-6h7v
• Affects: github.com/AlexxIT/go2rtc
• Published: Aug 06, 2024
• Unreviewed

gotortc Cross-site Scripting vulnerability in github.com/AlexxIT/go2rtc

• CVE-2024-29026, GHSA-v99w-r56h-g23v
• Affects: github.com/owncast/owncast
• Published: Aug 06, 2024
• Unreviewed

Owncast Cross-Site Request Forgery vulnerability in github.com/owncast/owncast

• CVE-2024-29193, GHSA-rh4r-f7f7-r99m
• Affects: github.com/AlexxIT/go2rtc
• Published: Aug 06, 2024
• Unreviewed

gotortc Cross-site Scripting vulnerability in github.com/AlexxIT/go2rtc

• CVE-2024-29192, GHSA-qgj8-g9q4-7f2p
• Affects: github.com/AlexxIT/go2rtc
• Published: Aug 06, 2024
• Unreviewed

gotortc vulnerable to Cross-Site Request Forgery in github.com/AlexxIT/go2rtc

• CVE-2024-35182, GHSA-h7cm-jvpp-69xf
• Affects: github.com/layer5io/meshery
• Published: Aug 06, 2024
• Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/layer5io/meshery before v0.7.22.

• CVE-2024-35181, GHSA-9f24-jrv4-f8g5
• Affects: github.com/layer5io/meshery
• Published: Aug 06, 2024
• Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/layer5io/meshery before v0.7.22.

• CVE-2024-29029, GHSA-9cqm-mgv9-vv9j
• Affects: github.com/usememos/memos
• Published: Aug 06, 2024
• Unreviewed

memos vulnerable to Server-Side Request Forgery and Cross-site Scripting in github.com/usememos/memos

• CVE-2023-48703, GHSA-6h53-q94j-348w
• Affects: github.com/RobotsAndPencils/go-saml
• Published: Aug 06, 2024
• Unreviewed

RobotsAndPencils go-saml authentication bypass vulnerability in github.com/RobotsAndPencils/go-saml

• CVE-2024-29028, GHSA-6fcf-g3mp-xj2x
• Affects: github.com/usememos/memos
• Published: Aug 06, 2024
• Unreviewed

memos vulnerable to Server-Side Request Forgery in /o/get/httpmeta in github.com/usememos/memos

• CVE-2024-29030, GHSA-65fm-2jgr-j7qq
• Affects: github.com/usememos/memos
• Published: Aug 06, 2024
• Unreviewed

memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos

• CVE-2024-29031, GHSA-652r-q29p-m25h
• Affects: github.com/layer5io/meshery
• Published: Aug 06, 2024
• Unreviewed

Meshery SQL Injection vulnerability in github.com/layer5io/meshery

• CVE-2023-26494, GHSA-5fwq-9x7j-2qpg
• Affects: go.thethings.network/lorawan-stack, go.thethings.network/lorawan-stack/v3
• Published: Aug 06, 2024
• Unreviewed

lorawan-stack Open Redirect vulnerability in go.thethings.network/lorawan-stack

• CVE-2024-3056, GHSA-rpcc-p8xm-rc6p
• Affects: github.com/containers/podman, github.com/containers/podman/v2, and 3 more
• Published: Aug 06, 2024
• Unreviewed

Podman vulnerable to memory-based denial of service in github.com/containers/podman

• GHSA-6vjm-54vp-mxhx
• Affects: github.com/juju/juju
• Published: Aug 06, 2024
• Unreviewed

Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju before v2.9.50, from v3.0.0 before v3.1.9, from v3.2.0 before v3.3.6, from v3.4.0 before v3.4.5, from v3.5.0 before v3.5.3.

• CVE-2024-41820, GHSA-3wfj-3x8q-hrpg
• Affects: github.com/kubean-io/kubean
• Published: Aug 06, 2024
• Modified: Aug 19, 2024
• Unreviewed

Kubean vulnerable to cluster-level privilege escalation in github.com/kubean-io/kubean

• GHSA-qv35-3gw6-8q4j
• Affects: github.com/regclient/regclient
• Published: Aug 06, 2024
• Unreviewed

In regclient, pinned manifest digests may be ignored in github.com/regclient/regclient

• CVE-2024-37286, GHSA-f6cj-4h3g-hwq4
• Affects: github.com/elastic/apm-server
• Published: Aug 06, 2024
• Unreviewed

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/elastic/apm-server before v8.14.0.

• CVE-2024-41265, GHSA-vw7g-3cc7-7rmh
• Affects: github.com/cortexproject/cortex
• Published: Aug 06, 2024
• Unreviewed

cortex establishes TLS connections with `InsecureSkipVerify` set to `true` in github.com/cortexproject/cortex

• CVE-2024-41256, GHSA-mpvx-whpp-99xj
• Affects: github.com/mickael-kerjean/filestash
• Published: Aug 06, 2024
• Unreviewed

Filestash skips TLS certificate verification process when sending out email verification codes in github.com/mickael-kerjean/filestash

• CVE-2024-36533, GHSA-5g3x-8g2v-r8x8
• Affects: volcano.sh/volcano
• Published: Aug 06, 2024
• Unreviewed

Volcano has insecure permissions in volcano.sh/volcano

• CVE-2024-41255, GHSA-4jmm-c6jw-g796
• Affects: github.com/mickael-kerjean/filestash
• Published: Aug 06, 2024
• Modified: Aug 19, 2024
• Unreviewed

Filestash configured to skip TLS certificate verification when using the FTPS protocol in github.com/mickael-kerjean/filestash

• CVE-2024-39837, GHSA-vvpg-55p7-5h8w
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server

• CVE-2024-41162, GHSA-jr9x-3x7m-4j75
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server

• CVE-2024-29977, GHSA-jq3g-xqpx-37x3
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server

• CVE-2024-41259, GHSA-hrmx-8jjv-g758
• Affects: github.com/navidrome/navidrome
• Published: Aug 06, 2024
• Unreviewed

Navidrome uses MD5 hashing algorithm in github.com/navidrome/navidrome

• CVE-2024-39274, GHSA-cmc8-222c-vqp9
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server

• CVE-2024-36536, GHSA-c9cm-5j82-m6pj
• Affects: github.com/fabedge/fabedge
• Published: Aug 06, 2024
• Unreviewed

fabedge has insecure permissions in github.com/fabedge/fabedge

• CVE-2024-41264, GHSA-67fw-w8f2-88wp
• Affects: github.com/casdoor/casdoor
• Published: Aug 06, 2024
• Unreviewed

casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification in github.com/casdoor/casdoor

• CVE-2024-36492, GHSA-56mc-f9w7-2wxq
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server

• CVE-2024-39839, GHSA-vg6q-84p8-qvqh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server

• CVE-2024-41144, GHSA-vg67-chm7-8m3j
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server

• CVE-2024-41926, GHSA-9fpw-c9x7-cv3j
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server

• CVE-2024-39832, GHSA-762m-4cx6-6mf4
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Aug 06, 2024
• Unreviewed

Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server

• CVE-2024-41956, GHSA-m445-w3xr-vp2f
• Affects: github.com/charmbracelet/soft-serve
• Published: Aug 06, 2024
• Unreviewed

soft-serve vulnerable to arbitrary code execution by crafting git-lfs requests in github.com/charmbracelet/soft-serve

• CVE-2024-40464, GHSA-r6qh-j42j-pw64
• Affects: github.com/beego/beego/v2
• Published: Aug 19, 2024

Beego privilege escalation vulnerability via sendMail in github.com/beego/beego/v2

• CVE-2024-41953, GHSA-v333-7h2p-5fhv
• Affects: github.com/zitadel/zitadel
• Published: Aug 06, 2024
• Unreviewed

ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.52.0 before v2.52.3, from v2.53.0 before v2.53.9, from v2.54.0 before v2.54.8, from v2.55.0 before v2.55.5, from v2.56.0 before v2.56.2, from v2.57.0 before v2.57.1, from v2.58.0 before v2.58.1.

• CVE-2024-41952, GHSA-567v-6hmg-6qg7
• Affects: github.com/zitadel/zitadel
• Published: Aug 06, 2024
• Unreviewed

ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.53.0 before v2.53.9, from v2.54.0 before v2.54.8, from v2.55.0 before v2.55.5, from v2.56.0 before v2.56.2, from v2.57.0 before v2.57.1, from v2.58.0 before v2.58.1.

• CVE-2024-22278, GHSA-hw28-333w-qxp3
• Affects: github.com/goharbor/harbor
• Published: Aug 06, 2024
• Unreviewed

Harbor fails to validate the user permissions when updating project configurations in github.com/goharbor/harbor

• Affects: github.com/PromonLogicalis/asn1
• Published: Jul 31, 2024

Version 7bdca06d0edf of the github.com/PromonLogicalis/asn1 module contains malicious code which downloads a program from a remote web server and executes it.

• GHSA-wm25-j4gw-6vr3
• Affects: github.com/prest/prest
• Published: Aug 06, 2024
• Unreviewed

pREST vulnerable to jwt bypass + sql injection in github.com/prest/prest

• CVE-2024-6984
• Affects: github.com/juju/juju
• Published: Aug 06, 2024
• Unreviewed

CVE-2024-6984 in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/juju/juju from v2.9.0 before v2.9.50, from v3.1.0 before v3.1.9, from v3.3.0 before v3.3.5, from v3.4.0 before v3.4.5, from v3.5.0 before v3.5.3.

• CVE-2024-29069, GHSA-69p6-gp5x-j269
• Affects: github.com/snapcore/snapd
• Published: Aug 06, 2024
• Unreviewed

snapd failed to properly check the destination of symbolic links when extracting a snap in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

• CVE-2024-29068, GHSA-64jh-cjwc-w8q6
• Affects: github.com/snapcore/snapd
• Published: Aug 06, 2024
• Unreviewed

snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

• CVE-2024-1724, GHSA-4mh8-9689-38vr
• Affects: github.com/snapcore/snapd
• Published: Aug 06, 2024
• Unreviewed

snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.62.0.

• CVE-2024-41666, GHSA-v8wx-v5jq-qhhw
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Aug 06, 2024
• Unreviewed

The Argo CD web terminal session does not handle the revocation of user permissions properly in github.com/argoproj/argo-cd

• CVE-2024-41110
• Affects: github.com/moby/moby, github.com/docker/docker
• Published: Jul 29, 2024

Moby authz zero length regression in github.com/moby/moby

• CVE-2024-40634, GHSA-jmvp-698c-4x3w
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Aug 06, 2024
• Unreviewed

Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd

• CVE-2024-41121, GHSA-xw35-rrcp-g7xm
• Affects: go.woodpecker-ci.org/woodpecker, go.woodpecker-ci.org/woodpecker/v2
• Published: Aug 06, 2024
• Unreviewed

Woodpecker's custom workspace allow to overwrite plugin entrypoint executable in go.woodpecker-ci.org/woodpecker

• CVE-2024-41122, GHSA-3wf2-2pq4-4rvc
• Affects: go.woodpecker-ci.org/woodpecker, go.woodpecker-ci.org/woodpecker/v2
• Published: Aug 06, 2024
• Unreviewed

Woodpecker's custom environment variables allow to alter execution flow of plugins in go.woodpecker-ci.org/woodpecker

• CVE-2024-21583
• Affects: github.com/gitpod-io/gitpod, github.com/gitpod-io/gitpod/components/server/go, and 2 more
• Published: Jul 22, 2024
• Modified: Sep 06, 2024
• Unreviewed

CVE-2024-21583 in github.com/gitpod-io/gitpod. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/gitpod-io/gitpod before v0.1.5-main-gha.27122; github.com/gitpod-io/gitpod/components/server/go before main-gha.27122; github.com/gitpod-io/gitpod/components/ws-proxy before main-gha.27122; github.com/gitpod-io/gitpod/install/installer before main-gha.27122.

• CVE-2024-21527
• Affects: github.com/gotenberg/gotenberg/v7, github.com/gotenberg/gotenberg/v8
• Published: Jul 22, 2024
• Unreviewed

CVE-2024-21527 in github.com/gotenberg/gotenberg

• CVE-2024-5321, GHSA-82m2-cv7p-4m75
• Affects: k8s.io/kubernetes
• Published: Jul 22, 2024
• Unreviewed

Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

• CVE-2024-41111, GHSA-hc5w-gxxr-w8x8
• Affects: github.com/bishopfox/sliver
• Published: Jul 22, 2024
• Modified: Aug 19, 2024
• Unreviewed

Sliver Allows Authenticated Operator-to-Server Remote Code Execution in github.com/bishopfox/sliver. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/bishopfox/sliver before v1.6.0.

• CVE-2024-39911
• Affects: github.com/1Panel-dev/1Panel
• Published: Jul 22, 2024
• Unreviewed

1Panel SQL injection in github.com/1Panel-dev/1Panel

• CVE-2024-39907, GHSA-5grx-v727-qmq6
• Affects: github.com/1Panel-dev/1Panel
• Published: Jul 22, 2024
• Unreviewed

1Panel has an SQL injection issue related to the orderBy clause in github.com/1Panel-dev/1Panel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.12-tls.

• CVE-2024-40641, GHSA-c3q9-c27p-cw9h
• Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
• Published: Jul 22, 2024
• Unreviewed

projectdiscovery/nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei

• CVE-2024-6535, GHSA-w799-v85j-88pg
• Affects: github.com/skupperproject/skupper
• Published: Jul 22, 2024
• Modified: Aug 19, 2024
• Unreviewed

Skupper uses a static cookie secret for the openshift oauth-proxy in github.com/skupperproject/skupper

• CVE-2024-40632
• Affects: github.com/linkerd/linkerd2
• Published: Jul 22, 2024

Linkerd potential access to the shutdown endpoint in github.com/linkerd/linkerd2

• CVE-2024-6468, GHSA-2qmw-pvf7-4mw6
• Affects: github.com/hashicorp/vault
• Published: Jul 12, 2024
• Modified: Aug 19, 2024
• Unreviewed

Hashicorp Vault vulnerable to Improper Check or Handling of Exceptional Conditions in github.com/hashicorp/vault. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/vault before v1.15.12.

• CVE-2024-39909, GHSA-5248-h45p-9pgw
• Affects: github.com/openclarity/kubeclarity/backend
• Published: Jul 12, 2024
• Modified: Aug 19, 2024
• Unreviewed

SQL Injection in the KubeClarity REST API in github.com/openclarity/kubeclarity/backend

• CVE-2022-29946, GHSA-2h2x-8hh2-mfq8
• Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2, and 1 more
• Published: Jul 12, 2024
• Unreviewed

NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server

• CVE-2024-39897, GHSA-55r9-5mx9-qq7r
• Affects: zotregistry.dev/zot, zotregistry.io/zot
• Published: Jul 10, 2024
• Modified: Sep 06, 2024
• Unreviewed

Cache driver GetBlob() allows read access to any blob without access control check in zotregistry.dev/zot. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: zotregistry.dev/zot before v2.1.0; zotregistry.io/zot before v2.1.0.

• GHSA-xr7q-jx4m-x55m
• Affects: google.golang.org/grpc
• Published: Jul 09, 2024

If applications print or log a context containing gRPC metadata, the output will contain all the metadata, which may include private information. This represents a potential PII concern.

• CVE-2024-6284, GHSA-qjvf-8748-9w7h
• Affects: github.com/google/nftables
• Published: Jul 09, 2024

IP addresses were encoded in the wrong byte order, resulting in an nftables configuration which did not work as intended (might block or not block the desired addresses).

• CVE-2024-39696, GHSA-q6hg-6m9x-5g9c
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 17 more
• Published: Jul 09, 2024
• Modified: Jul 29, 2024
• Unreviewed

Evmos vulnerable to exploit of smart contract account and vesting in github.com/evmos/evmos

• CVE-2024-39321, GHSA-gxrv-wf35-62w9
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jul 09, 2024
• Unreviewed

Bypassing IP allow-lists in traefik via HTTP/3 early data requests in QUIC 0-RTT handshakes in github.com/traefik/traefik

• CVE-2024-39933, GHSA-8mm6-wmpp-mmm3
• Affects: github.com/gogs/gogs
• Published: Jul 09, 2024
• Modified: Aug 19, 2024
• Unreviewed

Gogs allows argument injection during the tagging of a new release in github.com/gogs/gogs

• CVE-2024-39932, GHSA-hf29-9hfh-w63j
• Affects: github.com/gogs/gogs
• Published: Jul 09, 2024
• Unreviewed

Gogs allows argument injection during the previewing of changes in github.com/gogs/gogs

• CVE-2024-39931, GHSA-2vgj-3pvg-xh4w
• Affects: github.com/gogs/gogs
• Published: Jul 09, 2024
• Unreviewed

Gogs allows deletion of internal files in github.com/gogs/gogs

• CVE-2024-39930, GHSA-p69r-v3h4-rj4f
• Affects: github.com/gogs/gogs
• Published: Jul 09, 2024
• Modified: Jul 29, 2024
• Unreviewed

github.com/gogs/gogs affected by CVE-2024-39930

• CVE-2024-39683, GHSA-cvw9-c57h-3397
• Affects: github.com/zitadel/zitadel
• Published: Jul 09, 2024
• Unreviewed

ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel from v2.0.0 before v2.53.8, from v2.54.0 before v2.54.5, from v2.55.0 before v2.55.1.

• CVE-2024-39315, GHSA-rrqr-7w59-637v
• Affects: github.com/pomerium/pomerium
• Published: Jul 03, 2024
• Modified: Jul 29, 2024
• Unreviewed

Pomerium exposed OAuth2 access and ID tokens in user info endpoint response in github.com/pomerium/pomerium

• CVE-2024-24791
• Affects: net/http
• Published: Jul 02, 2024

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

• CVE-2023-24531
• Affects: cmd/go
• Published: Jul 02, 2024

Command go env is documented as outputting a shell script containing the Go environment. However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands or inserting new environment variables. This issue is relatively minor because, in general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making "go env" print them out.

• CVE-2022-30636
• Affects: golang.org/x/crypto
• Published: Jul 02, 2024

httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. Since the controlled path is suffixed with +http-01 before opening, the impact of this is significantly limited, since it only allows reading arbitrary files on the system if and only if they have this suffix.

• CVE-2024-38513, GHSA-98j2-3j3p-fw2v
• Affects: github.com/gofiber/fiber, github.com/gofiber/fiber/v2
• Published: Jul 02, 2024

Session Middleware Token Injection Vulnerability in github.com/gofiber/fiber

• CVE-2024-37298, GHSA-3669-72x9-r9p3
• Affects: github.com/gorilla/schema
• Published: Jul 02, 2024

Potential memory exhaustion attack due to sparse slice deserialization in github.com/gorilla/schema

• CVE-2019-25211, GHSA-869c-j7wc-8jqv
• Affects: github.com/gin-contrib/cors
• Published: Jul 02, 2024

Gin-Gonic CORS middleware mishandles a wildcard at the end of an origin string. Examples: https://example.community/* is accepted by the origin string https://example.com/* and http://localhost.example.com/* is accepted by the origin string http://localhost/* .

• GHSA-hg58-rf2h-6rr7
• Affects: github.com/cometbft/cometbft
• Published: Jul 02, 2024

A malicious peer can cause a syncing node to panic during blocksync. The syncing node may enter into a catastrophic invalid syncing state or get stuck in blocksync mode, never switching to consensus. Nodes that are vulnerable to this state may experience a Denial of Service condition in which syncing will not work as expected when joining a network as a client.

• CVE-2024-6257, GHSA-xfhp-jf8p-mh5w
• Affects: github.com/hashicorp/go-getter
• Published: Jun 28, 2024

A crafted request can execute Git update on an existing maliciously modified Git Configuration. This can potentially lead to arbitrary code execution. When performing a Git operation, the library will try to clone the given repository to a specified destination. Cloning initializes a git config in the provided destination. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

• CVE-2024-6104, GHSA-v6v8-xj6m-xwqh
• Affects: github.com/hashicorp/go-retryablehttp
• Published: Jun 25, 2024

URLs were not sanitized when writing them to log files. This could lead to writing sensitive HTTP basic auth credentials to the log file.

• CVE-2024-38359, GHSA-9gxx-58q6-42p7
• Affects: github.com/lightningnetwork/lnd
• Published: Jul 01, 2024
• Unreviewed

Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service in github.com/lightningnetwork/lnd

• GHSA-rvj4-q8q5-8grf
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 28, 2024
• Unreviewed

ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/traefik/traefik

• CVE-2024-37897, GHSA-hw5f-6wvv-xcrh
• Affects: github.com/drakkan/sftpgo, github.com/drakkan/sftpgo/v2
• Published: Jun 28, 2024
• Unreviewed

SFTPGo has insufficient access control for password reset in github.com/drakkan/sftpgo

• CVE-2024-38361, GHSA-grjv-gjgr-66g2
• Affects: github.com/authzed/spicedb
• Published: Jun 28, 2024
• Unreviewed

SpiceDB exclusions can result in no permission returned when permission expected in github.com/authzed/spicedb

• CVE-2024-5182, GHSA-cpcx-r2gq-x893
• Affects: github.com/go-skynet/LocalAI
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/go-skynet/LocalAI before v2.16.0.

• CVE-2024-24792, GHSA-9phm-fm57-rhg8
• Affects: golang.org/x/image
• Published: Jun 25, 2024
• Modified: Jun 26, 2024

Parsing a corrupt or malicious image with invalid color indices can cause a panic.

• CVE-2024-38351, GHSA-m93w-4fxv-r35v
• Affects: github.com/pocketbase/pocketbase
• Published: Jul 01, 2024

PocketBase performs password auth and OAuth2 unverified email linking in github.com/pocketbase/pocketbase

• CVE-2024-37904, GHSA-hpcg-xjq5-g666
• Affects: github.com/stacklok/minder
• Published: Jun 28, 2024
• Unreviewed

Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder

• CVE-2024-5899
• Affects: github.com/bazelbuild/intellij
• Published: Jun 28, 2024
• Unreviewed

Improper trust check in Bazel Build intellij plugin in github.com/bazelbuild/intellij

• CVE-2024-22032, GHSA-q6c7-56cq-g2wm
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

• CVE-2023-22650, GHSA-9ghh-mmcq-8phc
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

• CVE-2023-32191, GHSA-6gr4-52w6-vmqx
• Affects: github.com/rancher/rke
• Published: Jul 01, 2024

When RKE provisions a cluster, it stores the cluster state in a configmap called "full-cluster-state" inside the "kube-system" namespace of the cluster itself. This cluster state object contains information used to set up the K8s cluster, which may include sensitive data.

• CVE-2023-32196, GHSA-64jq-m7rq-768h
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher's External RoleTemplates can lead to privilege escalation in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.7.0 before v2.7.14, from v2.8.0 before v2.8.5.

• CVE-2024-37896
• Affects: github.com/flipped-aurora/gin-vue-admin
• Published: Jun 28, 2024
• Unreviewed

SQL injection vulnerability in Gin-vue-admin in github.com/flipped-aurora/gin-vue-admin

• CVE-2024-37159
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 28, 2024
• Unreviewed

Evmos is missing create validator check in github.com/evmos/evmos

• CVE-2024-37158
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 28, 2024
• Unreviewed

Evmos is missing precompile checks in github.com/evmos/evmos

• CVE-2024-36586, GHSA-7jp9-vgmq-c8r5
• Affects: github.com/AdguardTeam/AdGuardHome
• Published: Jun 28, 2024
• Modified: Sep 06, 2024
• Unreviewed

AdGuardHome privilege escalation vulnerability in github.com/AdguardTeam/AdGuardHome. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: .

• GHSA-85rg-8m6h-825p
• Affects: github.com/k8sgpt-ai/k8sgpt
• Published: Jun 20, 2024
• Unreviewed

Vulnerabilities with the k8sGPT in github.com/k8sgpt-ai/k8sgpt

• CVE-2024-37307, GHSA-wh78-7948-358j
• Affects: github.com/cilium/cilium
• Published: Jun 20, 2024
• Unreviewed

Cilium leaks sensitive information in cilium-bugtool in github.com/cilium/cilium

• CVE-2024-5798, GHSA-32cj-5wx4-gq8p
• Affects: github.com/hashicorp/vault
• Published: Jul 01, 2024
• Modified: Jul 09, 2024
• Unreviewed

HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims in github.com/hashicorp/vault. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/hashicorp/vault before v1.15.9.

• CVE-2023-49559, GHSA-2hmf-46v7-v6fx
• Affects: github.com/vektah/gqlparser, github.com/vektah/gqlparser/v2
• Published: Jul 01, 2024

An issue in vektah gqlparser open-source-library allows a remote attacker to cause a denial of service via a crafted script to the parseDirectives function.

• CVE-2024-5154, GHSA-j9hf-98c3-wrm8
• Affects: github.com/cri-o/cri-o
• Published: Jun 14, 2024
• Modified: Aug 19, 2024
• Unreviewed

malicious container creates symlink "mtab" on the host External in github.com/cri-o/cri-o

• CVE-2024-35255, GHSA-m5vv-6r4h-3vj9
• Affects: github.com/Azure/azure-sdk-for-go/sdk/azidentity
• Published: Jul 01, 2024

Azure Identity Libraries Elevation of Privilege Vulnerability in github.com/Azure/azure-sdk-for-go/sdk/azidentity

• GHSA-7jmw-8259-q9jx
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 14, 2024
• Unreviewed

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses in github.com/traefik/traefik

• CVE-2024-22261, GHSA-vw63-824v-qf2j
• Affects: github.com/goharbor/harbor
• Published: Jun 14, 2024
• Unreviewed

SQL Injection in Harbor scan log API in github.com/goharbor/harbor

• CVE-2024-22244, GHSA-5757-v49g-f6r7
• Affects: github.com/goharbor/harbor
• Published: Jun 14, 2024
• Unreviewed

Open Redirect URL in Harbor in github.com/goharbor/harbor

• GHSA-xmmx-7jpf-fx42
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 14, 2024
• Modified: Jul 01, 2024

Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker

• CVE-2021-41089, GHSA-v994-f8vw-g7j4
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 14, 2024
• Modified: Jul 01, 2024

Unexpected chmod of host files via 'docker cp' in Moby Docker Engine in github.com/docker/docker

• CVE-2021-41092, GHSA-99pg-grm5-qq3v
• Affects: github.com/docker/cli
• Published: Jul 01, 2024
• Modified: Jul 19, 2024

Docker CLI leaks private registry credentials to registry-1.docker.io in github.com/docker/cli

• GHSA-87m9-rv8p-rgmg
• Affects: github.com/mostynb/go-grpc-compression
• Published: Jun 14, 2024
• Unreviewed

go-grpc-compression has a zstd decompression bombing vulnerability in github.com/mostynb/go-grpc-compression

• CVE-2024-5262, GHSA-q5mg-pc7r-r8cr
• Affects: github.com/projectdiscovery/interactsh
• Published: Jun 14, 2024
• Unreviewed

Files or Directories Accessible to External Parties in ProjectDiscovery in github.com/projectdiscovery/interactsh

• CVE-2024-5138
• Affects: github.com/snapcore/snapd
• Published: Jun 14, 2024
• Unreviewed

CVE-2024-5138 in github.com/snapcore/snapd

• CVE-2024-5037
• Affects: github.com/openshift/telemeter
• Published: Jun 28, 2024
• Modified: Aug 19, 2024
• Unreviewed

Openshift/telemeter: iss check during jwt authentication can be bypassed in github.com/openshift/telemeter

• CVE-2024-37154, GHSA-7hrh-v6wp-53vw
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 14, 2024
• Modified: Jun 28, 2024
• Unreviewed

Evmos allows unvested token delegations in github.com/evmos/evmos

• CVE-2024-37153, GHSA-xgr7-jgq3-mhmc
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 14, 2024
• Modified: Jun 28, 2024
• Unreviewed

Contract balance not updating correctly after interchain transaction in github.com/evmos/evmos

• CVE-2024-37152, GHSA-87p9-x75h-p4j2
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 14, 2024
• Modified: Jun 28, 2024
• Unreviewed

Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd

• CVE-2024-37032, GHSA-8hqg-whrw-pv92
• Affects: github.com/ollama/ollama
• Published: Jun 14, 2024
• Modified: Dec 12, 2024

Ollama does not validate the format of the digest (sha256 with 64 hex digits) in github.com/ollama/ollama

• CVE-2024-36129, GHSA-c74f-6mfw-mm4v
• Affects: go.opentelemetry.io/collector/config/configgrpc, go.opentelemetry.io/collector/config/confighttp
• Published: Jun 14, 2024
• Modified: Jul 19, 2024

An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption.

• CVE-2024-36127, GHSA-v6mg-7f7p-qmqp
• Affects: chainguard.dev/apko
• Published: Jun 14, 2024
• Unreviewed

apko Exposure of HTTP basic auth credentials in log output in chainguard.dev/apko

• CVE-2024-36106, GHSA-3cqf-953p-h5cp
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 28, 2024
• Unreviewed

Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd

• CVE-2024-32873, GHSA-pxv8-qhrh-jc7v
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 16 more
• Published: Jun 14, 2024
• Modified: Aug 19, 2024
• Unreviewed

evmos allows transferring unvested tokens after delegations in github.com/evmos/evmos

• CVE-2024-24789
• Affects: archive/zip
• Published: Jun 04, 2024

The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip package now rejects files containing these errors.

• CVE-2024-24790
• Affects: net/netip
• Published: Jun 04, 2024

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

• CVE-2024-36107, GHSA-95fr-cm4m-q5p9
• Affects: github.com/minio/minio
• Published: Jun 05, 2024
• Unreviewed

MinIO information disclosure vulnerability in github.com/minio/minio

• CVE-2024-35238, GHSA-8fmj-33gw-g7pw
• Affects: github.com/stacklok/minder
• Published: Jun 05, 2024
• Unreviewed

Denial of service of Minder Server from maliciously crafted GitHub attestations in github.com/stacklok/minder

• GHSA-mh55-gqvf-xfwm
• Affects: github.com/rs/cors
• Published: Jul 02, 2024
• Modified: Jul 09, 2024

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

• CVE-2024-35232, GHSA-3f65-m234-9mxr
• Affects: github.com/huandu/facebook, github.com/huandu/facebook/v2
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

github.com/huandu/facebook may expose access_token in error message.

• GHSA-f7cq-5v43-8pwp
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 05, 2024
• Unreviewed

Traefik vulnerable to GO issue allowing malformed DNS message to cause infinite loop in github.com/traefik/traefik

• CVE-2024-35223, GHSA-284c-x8m7-9w5h
• Affects: github.com/dapr/dapr
• Published: May 24, 2024
• Unreviewed

Dapr API Token Exposure in github.com/dapr/dapr

• CVE-2024-31989, GHSA-9766-5277-j5hr
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 05, 2024
• Unreviewed

ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache in github.com/argoproj/argo-cd

• CVE-2024-34710
• Affects: github.com/requarks/wiki
• Published: Jun 05, 2024
• Unreviewed

Wiki.js Stored XSS through Client Side Template Injection in github.com/requarks/wiki

• GHSA-qjcv-rx3v-7mvj
• Affects: github.com/cosmos/ibc-go, github.com/cosmos/ibc-go/v2, and 5 more
• Published: May 23, 2024

The ibc-go module is affected by the Inter-Blockchain Communication (IBC) protocol "Huckleberry" vulnerability. The vulnerability allowed an attacker to send arbitrary transactions onto target chains and trigger arbitrary state transitions, including but not limited to, theft of funds. It was possible to exploit this vulnerability in specific situations involving relaying packets in which the source chain is also the final destination chain. Affected networks are those that allow for fee grant capabilities and use a native Relayer (e.g., Osmosis and Juno).

• GHSA-2j6r-9vv4-6gf5
• Affects: github.com/bincyber/go-sqlcrypter
• Published: Jun 05, 2024
• Unreviewed

github.com/bincyber/go-sqlcrypter vulnerable to IV collision

• CVE-2024-35194, GHSA-crgc-2583-rw27
• Affects: github.com/stacklok/minder
• Published: Jun 05, 2024
• Unreviewed

Stacklok Minder vulnerable to denial of service from maliciously crafted templates in github.com/stacklok/minder

• CVE-2024-35192, GHSA-xcq4-m2r3-cmrj
• Affects: github.com/aquasecurity/trivy
• Published: May 22, 2024

A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.

• CVE-2022-39324, GHSA-4724-7jwc-3fpw
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.16, from v9.0.0 before v9.2.8.

• CVE-2024-5042, GHSA-2rhx-qhxp-5jpw
• Affects: github.com/submariner-io/submariner-operator
• Published: Jun 05, 2024
• Modified: Aug 19, 2024
• Unreviewed

Submariner Operator sets unnecessary RBAC permissions in helm charts in github.com/submariner-io/submariner-operator

• CVE-2023-40297, GHSA-x8xm-wrjq-5g54
• Affects: github.com/stakater/Forecastle
• Published: Jun 05, 2024
• Unreviewed

Stakater Forecastle has a directory traversal vulnerability in github.com/stakater/Forecastle

• CVE-2024-35185, GHSA-fjw8-3gp8-4cvx
• Affects: github.com/stacklok/minder
• Published: May 20, 2024
• Unreviewed

Denial of service of Minder Server with attacker-controlled REST endpoint in github.com/stacklok/minder

• CVE-2024-35183, GHSA-8fg7-hp93-qhvr
• Affects: github.com/wolfi-dev/wolfictl
• Published: Jun 04, 2024
• Unreviewed

wolfictl leaks GitHub tokens to remote non-GitHub git servers in github.com/wolfi-dev/wolfictl

• CVE-2024-3744, GHSA-qjqg-4wg7-957h
• Affects: sigs.k8s.io/azurefile-csi-driver
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

azure-file-csi-driver leaks service account tokens in the logs in sigs.k8s.io/azurefile-csi-driver

• GHSA-f6mm-5fc7-3g3c
• Affects: github.com/goreleaser/goreleaser
• Published: Jun 04, 2024
• Unreviewed

goreleaser shows environment by default in github.com/goreleaser/goreleaser

• CVE-2024-31216, GHSA-v554-xwgw-hc3w
• Affects: github.com/fluxcd/source-controller
• Published: Jun 04, 2024
• Unreviewed

source-controller leaks Azure Storage SAS token into logs in github.com/fluxcd/source-controller

• CVE-2022-39201, GHSA-x744-mm8v-vpgr
• Affects: github.com/grafana/grafana
• Published: Jun 10, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Data source and plugin proxy endpoints could leak the authentication cookie to some destination plugins in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.14, from v9.0.0 before v9.1.8.

• CVE-2022-31097, GHSA-vw7q-p2qg-4m5f
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.0.0 before v8.3.10, from v8.4.0 before v8.4.10, from v8.5.0 before v8.5.9, from v9.0.0 before v9.0.3.

• CVE-2022-39328, GHSA-vqc4-mpj8-jxch
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Race condition allowing privilege escalation in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v9.2.0 before v9.2.4.

• CVE-2022-31123, GHSA-rhxj-gh46-jvw8
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Plugin signature bypass in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v7.0.0 before v8.5.14, from v9.0.0 before v9.1.8.

• CVE-2022-36062, GHSA-p978-56hq-r492
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana folders admin only permission privilege escalation in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.5.0 before v8.5.13, from v9.0.0 before v9.0.9, from v9.1.0 before v9.1.6.

• CVE-2024-35175, GHSA-4w53-6jvp-gg52
• Affects: github.com/tg123/sshpiper
• Published: Jun 04, 2024
• Unreviewed

sshpiper's enabling of proxy protocol without proper feature flagging allows faking source address in github.com/tg123/sshpiper

• CVE-2022-31107, GHSA-mx47-6497-3fv2
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v5.3.0 before v8.3.10, from v8.4.0 before v8.4.10, from v8.5.0 before v8.5.9, from v9.0.0 before v9.0.3.

• CVE-2022-31130, GHSA-jv32-5578-pxjc
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v7.0.0 before v8.5.14, from v9.0.0 before v9.1.8.

• CVE-2021-32026, GHSA-jj54-5q2m-q7pj
• Affects: github.com/nats-io/nats-server, github.com/nats-io/nats-server/v2
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server

• CVE-2020-26312, GHSA-hf54-fq2m-p9v6
• Affects: github.com/dotmesh-io/dotmesh
• Published: Jun 05, 2024
• Unreviewed

dotmesh arbitrary file read and/or write in github.com/dotmesh-io/dotmesh

• CVE-2022-39229, GHSA-gj7m-853r-289r
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.14, from v9.0.0 before v9.1.8.

• CVE-2022-35957, GHSA-ff5c-938w-8c9q
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.13, from v9.0.0 before v9.0.9, from v9.1.0 before v9.1.6.

• GHSA-c9cp-9c75-9v8c
• Affects: github.com/containerd/containerd
• Published: Jun 04, 2024
• Modified: Jul 01, 2024

Containers started with non-empty inheritable Linux process capabilities in github.com/containerd/containerd

• CVE-2022-39307, GHSA-3p62-42x7-gxg5
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana User enumeration via forget password in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v8.5.15, from v9.0.0 before v9.2.4.

• CVE-2022-39306, GHSA-2x6g-h2hg-rq84
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.0.0 before v8.5.15, from v9.0.0 before v9.2.4.

• CVE-2024-3727, GHSA-6wvf-f2vw-3425
• Affects: github.com/containers/image/v5
• Published: May 20, 2024
• Modified: Jan 30, 2025

An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

• CVE-2024-34713, GHSA-jmqp-37m5-49wh
• Affects: github.com/cea-hpc/sshproxy
• Published: Jun 04, 2024
• Unreviewed

sshproxy vulnerable to SSH option injection in github.com/cea-hpc/sshproxy

• CVE-2024-34079, GHSA-75r6-6jg8-pfcq
• Affects: github.com/octo-sts/app
• Published: May 13, 2024
• Modified: Jul 02, 2024

Excessively large requests can be processed, consuming a large amount of resources. This could potentially lead to a denial of service.

• CVE-2024-34360, GHSA-jcqq-g64v-gcm7
• Affects: github.com/spacemeshos/api/release/go, github.com/spacemeshos/go-spacemesh
• Published: May 14, 2024
• Modified: May 20, 2024

Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule.

• CVE-2024-34352, GHSA-f8ch-w75v-c847
• Affects: github.com/1Panel-dev/1Panel
• Published: May 14, 2024
• Modified: May 20, 2024

A maliciously crafted packet can write to an arbitrary file.

• CVE-2024-32886, GHSA-649x-hxfx-57j2
• Affects: vitess.io/vitess
• Published: May 10, 2024
• Modified: Jul 09, 2024

When executing a query, the vtgate will go into an endless loop that also keeps consuming memory and eventually will OOM. This causes a denial of service.

• CVE-2024-24787
• Affects: cmd/go
• Published: May 08, 2024
• Modified: May 20, 2024

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.

• CVE-2024-24788
• Affects: net
• Published: May 07, 2024
• Modified: May 20, 2024

A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.

• CVE-2024-30850, CVE-2024-33434, and 2 more
• Affects: github.com/tiagorlampert/CHAOS
• Published: May 09, 2024
• Modified: May 20, 2024

A remote attacker can execute arbitrary commands via crafted HTTP requests.

• CVE-2024-34084, GHSA-9c5w-9q3f-3hv7
• Affects: github.com/stacklok/minder
• Published: May 10, 2024
• Modified: May 20, 2024

HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. An untrusted request can cause the server to allocate large amounts of memory resulting in a denial of service.

• CVE-2024-32972, GHSA-4xc9-8hmq-j652
• Affects: github.com/ethereum/go-ethereum
• Published: May 08, 2024
• Modified: May 20, 2024

A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. This can result in a denial of service as the node runs out of memory.

• CVE-2024-34478, GHSA-3jgf-r68h-xfqm
• Affects: github.com/btcsuite/btcd
• Published: May 08, 2024
• Modified: May 20, 2024

Incorrect implementation of the consensus rules outlined in BIP 68 and BIP 112 making btcd susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds.

• CVE-2024-33396, GHSA-wccg-v638-j9q2
• Affects: github.com/karmada-io/karmada
• Published: Jun 05, 2024
• Unreviewed

karmada vulnerable to arbitrary code execution via a crafted command in github.com/karmada-io/karmada

• CVE-2024-33394, GHSA-4q63-mr2m-57hf
• Affects: kubevirt.io/kubevirt
• Published: Jun 05, 2024
• Unreviewed

kubevirt allows a local attacker to execute arbitrary code via a crafted command in kubevirt.io/kubevirt

• CVE-2024-34068, GHSA-qq22-jj8x-4wwv
• Affects: github.com/pterodactyl/wings
• Published: Jun 10, 2024
• Modified: Aug 19, 2024
• Unreviewed

Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull in github.com/pterodactyl/wings

• CVE-2024-34066, GHSA-gqmf-jqgv-v8fw
• Affects: github.com/pterodactyl/wings
• Published: Jun 04, 2024
• Unreviewed

Pterodactyl Wings vulnerable to Arbitrary File Write/Read in github.com/pterodactyl/wings

• GHSA-vhxv-fg4m-p2w8
• Affects: github.com/jub0bs/cors
• Published: May 21, 2024

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns "https://foo.com" and "https://bar.com" (in that order) would yield a middleware that would incorrectly allow untrusted origin "https://barfoo.com".

• GHSA-v84h-653v-4pq9
• Affects: github.com/jub0bs/fcors
• Published: May 21, 2024

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns "https://foo.com" and "https://bar.com" (in that order) would yield a middleware that would incorrectly allow untrusted origin "https://barfoo.com".

• CVE-2024-33398, GHSA-6fg2-hvj9-832f
• Affects: github.com/piraeusdatastore/piraeus-operator, github.com/piraeusdatastore/piraeus-operator/v2
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

piraeus-operator allows attacker to impersonate service account in github.com/piraeusdatastore/piraeus-operator

• CVE-2024-32359
• Affects: github.com/carina-io/carina
• Published: Jun 05, 2024
• Unreviewed

CVE-2024-32359 in github.com/carina-io/carina

• CVE-2024-4128
• Affects: github.com/firebase/firebase-tools
• Published: Jun 05, 2024
• Unreviewed

CSRF in firebase-tools emulator suite in github.com/firebase/firebase-tools

• CVE-2024-32967, GHSA-q5qj-x2h5-3945
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.45.7, from v2.47.0 before v2.47.10, from v2.48.0 before v2.48.5, from v2.49.0 before v2.49.5, from v2.50.0 before v2.50.3.

• CVE-2024-32963, GHSA-4jrx-5w4h-3gpm
• Affects: github.com/navidrome/navidrome
• Published: Jun 04, 2024
• Unreviewed

Navidrome Parameter Tampering vulnerability in github.com/navidrome/navidrome

• CVE-2024-33522, GHSA-6362-gv4m-53ww
• Affects: github.com/projectcalico/calico, github.com/projectcalico/calico/v3
• Published: Jun 10, 2024
• Modified: Aug 19, 2024
• Unreviewed

Calico privilege escalation vulnerability in github.com/projectcalico/calico. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/projectcalico/calico/v3 before v3.26.5, from v3.27.0 before v3.27.3.

• CVE-2024-3817, GHSA-q64h-39hv-4cf7
• Affects: github.com/hashicorp/go-getter
• Published: May 10, 2024
• Modified: May 20, 2024

When go-getter is performing a Git operation, go-getter will try to clone the given repository. If a Git reference is not passed along with the Git url, go-getter will then try to check the remote repository's HEAD reference of its default branch by passing arguments to the Git binary on the host it is executing on. An attacker may format a Git URL in order to inject additional Git arguments to the Git call.

• CVE-2024-32883
• Affects: github.com/mcu-tools/mcuboot
• Published: Jun 05, 2024
• Unreviewed

MCUboot Injection attack of unprotected TLV values in github.com/mcu-tools/mcuboot

• CVE-2024-4183, GHSA-wj37-mpq9-xrcm
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost fails to limit the number of active sessions in github.com/mattermost/mattermost-server

• CVE-2024-32046, GHSA-vx97-8q8q-qgq5
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost's detailed error messages reveal the full file path in github.com/mattermost/mattermost-server

• CVE-2024-22091, GHSA-p2wq-4ggp-45f3
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost fails to limit the size of a request path in github.com/mattermost/mattermost-server

• CVE-2024-4182, GHSA-8f99-g2pj-x8w3
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost crashes web clients via a malformed custom status in github.com/mattermost/mattermost-server

• CVE-2024-4198, GHSA-5qx9-9ffj-5r8f
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost fails to fully validate role changes in github.com/mattermost/mattermost-server

• CVE-2024-4195, GHSA-5fh7-7mw7-mmx5
• Affects: github.com/mattermost/mattermost-server
• Published: Jun 05, 2024
• Unreviewed

Mattermost allows team admins to promote guests to team admins in github.com/mattermost/mattermost-server

• CVE-2024-32476, GHSA-9m6p-x4h2-6frq
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences in github.com/argoproj/argo-cd

• CVE-2024-3154, GHSA-2cgq-h8xw-2v5j
• Affects: github.com/cri-o/cri-o
• Published: Jun 04, 2024
• Unreviewed

CRI-O vulnerable to an arbitrary systemd property injection in github.com/cri-o/cri-o

• CVE-2024-1139, GHSA-x5m7-63c6-fx79
• Affects: github.com/openshift/cluster-monitoring-operator
• Published: Jun 05, 2024
• Unreviewed

Cluster Monitoring Operator contains a credentials leak in github.com/openshift/cluster-monitoring-operator

• CVE-2024-32868, GHSA-7j7j-66cv-m239
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.50.0.

• CVE-2024-0874, GHSA-m9w6-wp3h-vq8g
• Affects: github.com/coredns/coredns
• Published: Jun 04, 2024
• Modified: Jul 01, 2024

A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching.

• CVE-2019-11202, GHSA-xh8x-j8h3-m5ph
• Affects: github.com/rancher/rancher
• Published: Jun 10, 2024
• Modified: Aug 21, 2024
• Unreviewed

Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher

• CVE-2022-3800, GHSA-rwcf-gq22-ph83
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2019-11245, GHSA-r76g-g87f-vw8f
• Affects: k8s.io/kubernetes
• Published: Jun 10, 2024
• Unreviewed

Kubelet Incorrect Privilege Assignment in k8s.io/kubernetes

• CVE-2020-10937, GHSA-r23h-3jmw-q7hr
• Affects: github.com/ipfs/go-ipfs
• Published: Jun 04, 2024
• Unreviewed

Access Restriction Bypass in go-ipfs in github.com/ipfs/go-ipfs

• CVE-2021-31999, GHSA-pvxj-25m6-7vqr
• Affects: github.com/rancher/rancher
• Published: Jun 10, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher Privilege escalation vulnerability via malicious "Connection" header in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.16, from v2.5.0 before v2.5.9.

• CVE-2022-3798, GHSA-mgqh-3qm7-gx82
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2021-43350, GHSA-mg2c-rc36-p594
• Affects: github.com/apache/trafficcontrol
• Published: Jun 10, 2024
• Unreviewed

Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol

• CVE-2022-3801, GHSA-m738-584h-26p6
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2021-36776, GHSA-gvh9-xgrq-r8hw
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher's Steve API Component Improper authorization check allows privilege escalation in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.5.0 before v2.5.10.

• CVE-2022-3802, GHSA-g23g-mw97-65c8
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2022-38183, GHSA-fhv8-m4j4-cww2
• Affects: code.gitea.io/gitea
• Published: Jun 10, 2024
• Modified: Aug 19, 2024
• Unreviewed

Gitea allowed assignment of private issues in code.gitea.io/gitea

• CVE-2021-25318, GHSA-f9xf-jq4j-vqw4
• Affects: github.com/rancher/rancher
• Published: Jun 10, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher does not properly specify ApiGroup when creating Kubernetes RBAC resources in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.16, from v2.5.0 before v2.5.9.

• CVE-2020-14370, GHSA-c3wv-qmjj-45r6
• Affects: github.com/containers/libpod, github.com/containers/libpod/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Information disclosure in podman in github.com/containers/libpod

• CVE-2020-1701, GHSA-849r-8wvp-4wwg
• Affects: kubevirt.io/kubevirt
• Published: Jun 04, 2024
• Unreviewed

Permissions bypass in KubeVirt in kubevirt.io/kubevirt

• CVE-2019-6287, GHSA-6r7x-4q7g-h83j
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Unreviewed

Rancher Project Members Have Continued Access to Namespaces After Being Removed From Them in github.com/rancher/rancher

• CVE-2017-15103, GHSA-6g56-v9qg-jp92
• Affects: github.com/heketi/heketi
• Published: Jun 04, 2024
• Unreviewed

Heketi Arbitrary Code Execution in github.com/heketi/heketi

• CVE-2019-12303, GHSA-53pj-67m4-9w98
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Unreviewed

Rancher code injection via fluentd config commands in github.com/rancher/rancher

• CVE-2019-11881, GHSA-2p4g-jrmx-r34m
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Unreviewed

Rancher Login Parameter Can Be Edited in github.com/rancher/rancher

• CVE-2021-36775, GHSA-28g7-896h-695v
• Affects: github.com/rancher/rancher
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher's Failure to delete orphaned role bindings does not revoke project level access from group based authentication in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher before v2.4.18, from v2.5.0 before v2.5.12, from v2.6.0 before v2.6.3.

• CVE-2022-3799, GHSA-fcgf-j8cf-h2rm
• Affects: github.com/IBAX-io/go-ibax
• Published: Jun 05, 2024
• Unreviewed

IBAX go-ibax vulnerable to SQL injection in github.com/IBAX-io/go-ibax

• CVE-2021-3382, GHSA-9f8c-pfvv-p4gm
• Affects: code.gitea.io/gitea
• Published: Jun 04, 2024
• Unreviewed

Buffer Overflow in gitea in code.gitea.io/gitea

• CVE-2020-14316, GHSA-828r-r2c8-rfw3
• Affects: kubevirt.io/kubevirt
• Published: Jun 04, 2024
• Unreviewed

Privilege Escalation in kubevirt in kubevirt.io/kubevirt

• CVE-2020-8563, GHSA-5xfg-wv98-264m
• Affects: k8s.io/kubernetes
• Published: Jun 05, 2024
• Unreviewed

Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes

• CVE-2020-8566, GHSA-5x96-j797-5qqw
• Affects: k8s.io/kubernetes
• Published: Jun 04, 2024
• Unreviewed

Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes

• CVE-2020-8557, GHSA-55qj-gj3x-jq9r
• Affects: k8s.io/kubernetes
• Published: Jun 10, 2024
• Unreviewed

Denial of service in Kubernetes in k8s.io/kubernetes

• CVE-2022-1058, GHSA-4rqq-rxvc-v2rc
• Affects: code.gitea.io/gitea
• Published: Jun 04, 2024
• Unreviewed

Gitea Open Redirect in code.gitea.io/gitea

• CVE-2020-8567, GHSA-2v35-wj4r-rcmv
• Affects: github.com/Azure/secrets-store-csi-driver-provider-azure, github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp, and 1 more
• Published: Jun 05, 2024
• Modified: Sep 06, 2024
• Unreviewed

Kubernetes Secrets Store CSI Driver plugins arbitrary file write in github.com/Azure/secrets-store-csi-driver-provider-azure. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/Azure/secrets-store-csi-driver-provider-azure before v0.0.10; github.com/hashicorp/vault-csi-provider before v0.0.6.

• CVE-2020-8559, GHSA-33c5-9fx5-fvjm
• Affects: k8s.io/apimachinery, k8s.io/kubernetes
• Published: May 20, 2024

The Kubernetes kube-apiserver is vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.

• CVE-2024-32875, GHSA-ppf8-hhpp-f5hj
• Affects: github.com/gohugoio/hugo
• Published: Jun 04, 2024
• Modified: Jul 19, 2024

Hugo Markdown titles are not escaped in internal render hooks in github.com/gohugoio/hugo

• CVE-2024-3177, GHSA-pxhw-596r-rwq5
• Affects: k8s.io/kubernetes
• Published: Jun 04, 2024
• Modified: Jul 01, 2024

Kubernetes allows bypassing mountable secrets policy imposed by the ServiceAccount admission plugin in k8s.io/kubernetes

• GHSA-x883-2vmg-xwf7
• Affects: github.com/authelia/authelia/v4
• Published: Apr 26, 2024
• Modified: May 20, 2024

If the file authentication backend is being used, the ewatch option is set to true, the refresh interval is configured to a non-disabled value, and an administrator changes a user's groups, then that user may be able to access resources that their previous groups had access to.

• CVE-2024-29217, GHSA-cvqr-mwh6-2vc6
• Affects: github.com/apache/incubator-answer
• Published: Apr 26, 2024
• Modified: May 20, 2024

XSS vulnerability via personal website in github.com/apache/incubator-answer

• CVE-2024-31450, GHSA-9355-27m8-h74v
• Affects: github.com/owncast/owncast
• Published: Jun 04, 2024
• Modified: Aug 19, 2024
• Unreviewed

Owncast Path Traversal vulnerability in github.com/owncast/owncast

• CVE-2024-32473, GHSA-x84c-p2g9-rqv9
• Affects: github.com/docker/docker
• Published: Jun 05, 2024
• Unreviewed

IPv6 enabled on IPv4-only network interfaces in github.com/docker/docker

• CVE-2024-30257, GHSA-6m9h-2pr2-9j8f
• Affects: github.com/1Panel-dev/1Panel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

1Panel's password verification is suspected to have a timing attack vulnerability in github.com/1Panel-dev/1Panel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/1Panel-dev/1Panel before v1.10.3.

• GHSA-v6rw-hhgg-wc4x
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 10 more
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

Evmos vulnerable to DOS and transaction fee expropriation through Authz exploit in github.com/evmos/evmos

• GHSA-m99c-q26r-m7m7
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 11 more
• Published: Jun 10, 2024
• Modified: Jun 28, 2024
• Unreviewed

Evmos vulnerable to unauthorized account creation with vesting module in github.com/evmos/evmos

• Affects: github.com/gorilla/sessions
• Published: Apr 17, 2024
• Modified: May 20, 2024
• Withdrawn: Apr 17, 2024

(withdrawn)

• CVE-2024-31452, GHSA-8cph-m685-6v6r
• Affects: github.com/openfga/openfga
• Published: Jun 04, 2024
• Unreviewed

OpenFGA Authorization Bypass in github.com/openfga/openfga

• CVE-2024-31990, GHSA-2gvw-w6fj-7m3c
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Argo CD's API server does not enforce project sourceNamespaces in github.com/argoproj/argo-cd

• GHSA-g8fc-vrcg-8vjg
• Affects: github.com/edgelesssys/constellation, github.com/edgelesssys/constellation/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

• GHSA-7f4j-64p6-5h5v
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

Traefik affected by HTTP/2 CONTINUATION flood in net/http in github.com/traefik/traefik

• CVE-2024-31391, GHSA-g9qx-25vj-rf53
• Affects: github.com/apache/solr-operator
• Published: Jun 04, 2024
• Unreviewed

Apache Solr Operator liveness and readiness probes may leak basic auth credentials in github.com/apache/solr-operator

• CVE-2024-28869, GHSA-4vwx-54mw-vqfw
• Affects: github.com/traefik/traefik, github.com/traefik/traefik/v2, and 1 more
• Published: Jun 05, 2024
• Unreviewed

Traefik vulnerable to denial of service with Content-length header in github.com/traefik/traefik

• CVE-2024-31839, GHSA-c5rv-hjjc-jv7m
• Affects: github.com/tiagorlampert/CHAOS
• Published: May 09, 2024
• Modified: May 20, 2024

A malicious actor may be able to extract a JWT token via malicious "/command" request. This is a form of cross site scripting (XSS).

• CVE-2024-29903, GHSA-95pr-fxf5-86gv
• Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
• Published: Jun 05, 2024
• Unreviewed

Cosign malicious artifacts can cause machine-wide DoS in github.com/sigstore/cosign

• CVE-2024-29902, GHSA-88jx-383q-w4qc
• Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
• Published: Jun 05, 2024
• Unreviewed

Cosign malicious attachments can cause system-wide denial of service in github.com/sigstore/cosign

• CVE-2024-2029, GHSA-wx43-g55g-2jf4
• Affects: github.com/go-skynet/LocalAI
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

LocalAI Command Injection in audioToWav in github.com/go-skynet/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/go-skynet/LocalAI before v2.10.0.

• CVE-2024-32001, GHSA-j85q-46hg-36p2
• Affects: github.com/authzed/spicedb
• Published: Jun 04, 2024
• Unreviewed

SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used in github.com/authzed/spicedb

• CVE-2024-32644, GHSA-3fp5-2xwh-fxm6
• Affects: github.com/evmos/evmos, github.com/evmos/evmos/v2, and 20 more
• Published: Jun 05, 2024
• Modified: Jun 28, 2024
• Unreviewed

Evmos transaction execution not accounting for all state transition after interaction with precompiles in github.com/evmos/evmos

• CVE-2024-21848, GHSA-xp9j-8p68-9q93
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.11.

• CVE-2024-29221, GHSA-w67v-ph4x-f48q
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

• CVE-2024-3135, GHSA-jhvf-7c85-3c9g
• Affects: github.com/go-skynet/LocalAI
• Published: Jun 05, 2024
• Unreviewed

LocalAI cross-site request forgery vulnerability in github.com/go-skynet/LocalAI

• CVE-2023-3518, GHSA-9rhf-q362-77mx
• Affects: github.com/hashicorp/consul
• Published: Jun 04, 2024
• Unreviewed

Consul JWT Auth in L7 Intentions Allow for Mismatched Service Identity and JWT Providers in github.com/hashicorp/consul

• GHSA-j5vm-7qcc-2wwg
• Affects: github.com/kopia/kopia
• Published: Jun 04, 2024
• Unreviewed

Kopia: Storage connection credentials written to console on "repository status" CLI command with JSON output in github.com/kopia/kopia

• CVE-2024-31457, GHSA-gv3w-m57p-3wc4
• Affects: github.com/flipped-aurora/gin-vue-admin/server
• Published: May 20, 2024

Gin-vue-admin has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the 'plugName' parameter. They can create specific folders such as 'api', 'config', 'global', 'model', 'router', 'service', and 'main.go' function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter.

• CVE-2024-31455, GHSA-ggp5-28x4-xcj9
• Affects: github.com/stacklok/minder
• Published: Jun 04, 2024
• Unreviewed

Minder GetRepositoryByName data leak in github.com/stacklok/minder

• CVE-2024-28224, GHSA-5jx5-hqx5-2vrj
• Affects: github.com/jmorganca/ollama
• Published: Jun 10, 2024
• Unreviewed

Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama

• CVE-2024-0406, GHSA-rhh4-rh7c-7r5v
• Affects: github.com/mholt/archiver, github.com/mholt/archiver/v3
• Published: Jun 05, 2024
• Modified: Jul 01, 2024

A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library.

• CVE-2024-1313, GHSA-67rv-qpw2-6qrr
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v9.5.0 before v9.5.18, from v10.0.0 before v10.0.13, from v10.1.0 before v10.1.9, from v10.2.0 before v10.2.6, from v10.3.0 before v10.3.5.

• CVE-2024-2447, GHSA-wp43-vprh-c3w5
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

• CVE-2024-28949, GHSA-mcw6-3256-64gg
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 from v8.1.0 before v8.1.11.

• GHSA-j496-crgh-34mx
• Affects: github.com/cosmos/ibc-go, github.com/cosmos/ibc-go/v2, and 6 more
• Published: May 20, 2024

Potential Reentrancy using Timeout Callbacks in ibc-hooks in github.com/cosmos/ibc-go

• CVE-2024-3250, GHSA-4685-2x5r-65pj
• Affects: github.com/canonical/pebble
• Published: Jun 04, 2024
• Unreviewed

Pebble service manager's file pull API allows access by any user in github.com/canonical/pebble

• CVE-2024-2660, GHSA-j2rp-gmqv-frhv
• Affects: github.com/hashicorp/vault
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

HashiCorpVault does not correctly validate OCSP responses in github.com/hashicorp/vault

• CVE-2024-2689, GHSA-wmxc-v39r-p9wf
• Affects: go.temporal.io/server
• Published: Jun 04, 2024
• Unreviewed

Temporal Server Denial of Service in go.temporal.io/server

• CVE-2024-31420, GHSA-vjhf-6xfr-5p9g
• Affects: kubevirt.io/kubevirt
• Published: Jun 05, 2024
• Unreviewed

KubeVirt NULL pointer dereference flaw in kubevirt.io/kubevirt

• CVE-2023-45288, GHSA-4v7x-pqxf-cx7m
• Affects: net/http, golang.org/x/net
• Published: Apr 03, 2024
• Modified: May 20, 2024

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

• CVE-2024-22780, GHSA-hwvw-gh23-qpvq
• Affects: github.com/ca17/teamsacs
• Published: Jun 10, 2024
• Unreviewed

CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs

• CVE-2021-41803, GHSA-hr3v-8cp3-68rf
• Affects: github.com/hashicorp/consul
• Published: Apr 05, 2024
• Modified: May 20, 2024

HashiCorp Consul does not properly validate the node or segment names prior to interpolation and usage in JWT claim assertions with the auto config RPC.

• CVE-2024-22189, GHSA-c33x-xqrf-c478
• Affects: github.com/quic-go/quic-go
• Published: Apr 05, 2024
• Modified: May 20, 2024

An attacker can cause its peer to run out of memory by sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate.

• CVE-2024-2435, GHSA-8f25-w7qj-r7hc
• Affects: github.com/temporalio/ui-server, github.com/temporalio/ui-server/v2
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Temporal UI Server cross-site scripting vulnerability in github.com/temporalio/ui-server

• CVE-2023-3300, GHSA-v5fm-hr72-27hx
• Affects: github.com/hashicorp/nomad
• Published: Apr 04, 2024
• Modified: May 20, 2024

A vulnerability was identified in Nomad such that the search HTTP API can reveal names of available CSI plugins to unauthenticated users or users without the plugin:read policy. This vulnerability affects Nomad since 0.11.0 and was fixed in 1.4.11 and 1.5.7.

• CVE-2023-3072, GHSA-rpvr-38xv-xvxq
• Affects: github.com/hashicorp/nomad
• Published: Apr 04, 2024
• Modified: May 20, 2024

An ACL policy using a block without label can be applied to unexpected resources in Nomad, a distributed, highly available scheduler designed for effortless operations and management of applications.

• CVE-2023-3299, GHSA-9jfx-84v9-2rr2
• Affects: github.com/hashicorp/nomad
• Published: Apr 04, 2024
• Modified: May 20, 2024

A vulnerability exists in Nomad where the API caller's ACL token secret ID is exposed to Sentinel policies.

• CVE-2024-28232, GHSA-hcw2-2r9c-gc6p
• Affects: github.com/IceWhaleTech/CasaOS-UserService
• Published: Apr 02, 2024
• Modified: May 20, 2024

The Casa OS Login page has a username enumeration vulnerability in the login page that was patched in Casa OS v0.4.7. The issue exists because the application response differs depending on whether the username or password is incorrect, allowing an attacker to enumerate usernames by observing the application response. For example, if the username is incorrect, the application returns "User does not exist" with return code "10006", while if the password is incorrect, it returns "User does not exist or password is invalid" with return code "10013". This allows an attacker to determine if a username exists without knowing the password.

• CVE-2024-29893, GHSA-jhwx-mhww-rgc3
• Affects: github.com/argoproj/argo-cd/v2
• Published: Apr 16, 2024
• Modified: May 20, 2024

Out of memory crash from malicious Helm registry in github.com/argoproj/argo-cd/v2

• CVE-2024-28860, GHSA-pwqm-x5x6-5586
• Affects: github.com/cilium/cilium
• Published: Apr 16, 2024
• Modified: May 20, 2024

Insecure IPsec transparent encryption in github.com/cilium/cilium

• CVE-2024-29891, GHSA-hr5w-cwwq-2v4m
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.42.17, from v2.43.0 before v2.43.11, from v2.44.0 before v2.44.7, from v2.45.0 before v2.45.5, from v2.46.0 before v2.46.5, from v2.47.0 before v2.47.8, from v2.48.0 before v2.48.3.

• CVE-2024-29892, GHSA-gp8g-f42f-95q2
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.42.17, from v2.43.0 before v2.43.11, from v2.44.0 before v2.44.7, from v2.45.0 before v2.45.5, from v2.46.0 before v2.46.5, from v2.47.0 before v2.47.8, from v2.48.0 before v2.48.3.

• CVE-2019-19499, GHSA-4pwp-cx67-5cpx
• Affects: github.com/grafana/grafana
• Published: Mar 28, 2024
• Modified: Jul 09, 2024

An authenticated attacker that has privileges to modify the data source configurations can read arbitrary files.

• CVE-2024-1394, GHSA-78hx-gp6g-7mj6
• Affects: github.com/golang-fips/openssl/v2, github.com/microsoft/go-crypto-openssl
• Published: Mar 27, 2024
• Modified: May 20, 2024

Using crafted public RSA keys can cause a small memory leak when encrypting and verifying payloads. This can be gradually leveraged into a denial of service attack.

• CVE-2024-29018, GHSA-mq39-4gv4-mvpx
• Affects: github.com/docker/docker
• Published: Mar 22, 2024
• Modified: May 20, 2024

dockerd forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics, networks marked as 'internal' can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers.

• CVE-2024-1753, GHSA-pmf3-c36m-g5cf
• Affects: github.com/containers/buildah
• Published: Mar 22, 2024
• Modified: May 20, 2024

A crafted container file can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem.

• CVE-2024-28250, GHSA-v6q2-4qr3-5cw6
• Affects: github.com/cilium/cilium
• Published: Mar 22, 2024
• Modified: May 20, 2024

In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies: traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes, and traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.

• CVE-2024-28249, GHSA-j89h-qrvr-xc36
• Affects: github.com/cilium/cilium
• Published: Mar 22, 2024
• Modified: May 20, 2024

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies, traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted, and traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted.

• CVE-2024-28855, GHSA-hfrg-4jwr-jfpj
• Affects: github.com/zitadel/zitadel
• Published: Mar 27, 2024
• Modified: Jul 09, 2024

The Login UI did not sanitize input parameters. An attacker could create a malicious link, where injected code would be rendered as part of the login screen.

• CVE-2024-21661, GHSA-6v85-wr92-q4p7
• Affects: github.com/argoproj/argo-cd/v2
• Published: Mar 22, 2024
• Modified: May 20, 2024

Application may crash due to concurrent writes, leading to a denial of service. An attacker can crash the application continuously, making it impossible for legitimate users to access the service. Authentication is not required in the attack.

• CVE-2024-28248, GHSA-68mj-9pjq-mc85
• Affects: github.com/cilium/cilium
• Published: Mar 22, 2024
• Modified: May 20, 2024

Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.

• CVE-2024-21662, CVE-2024-21652, and 2 more
• Affects: github.com/argoproj/argo-cd/v2
• Published: Mar 22, 2024
• Modified: May 20, 2024

An attacker can effectively bypass the rate limit and brute force protections in Argo CD by exploiting the application's weak cache-based mechanism. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account.

• GHSA-v8mx-hp2q-gw85
• Affects: github.com/go-vela/sdk-go
• Published: Jun 05, 2024
• Unreviewed

Golang SDK for Vela Insecure Variable Substitution in github.com/go-vela/sdk-go

• GHSA-7v38-w32m-wx4m
• Affects: github.com/go-vela/types
• Published: Jun 04, 2024
• Unreviewed

Types for Vela Insecure Variable Substitution in github.com/go-vela/types

• GHSA-69p4-j5v5-x234
• Affects: github.com/go-vela/server
• Published: Jun 04, 2024
• Unreviewed

Server/API for Vela Insecure Variable Substitution in github.com/go-vela/server

• GHSA-4jhj-3gv3-c3gr
• Affects: github.com/go-vela/cli
• Published: Jun 04, 2024
• Unreviewed

CLI for Vela Insecure Variable Substitution in github.com/go-vela/cli

• CVE-2024-28175, GHSA-jwv5-8mqv-g387
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Mar 22, 2024
• Modified: May 20, 2024

Due to the improper URL protocols filtering of links specified in the link.argocd.argoproj.io annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. A malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources.

• CVE-2024-27920, GHSA-w5wx-6g2r-r78q
• Affects: github.com/projectdiscovery/nuclei, github.com/projectdiscovery/nuclei/v2, and 1 more
• Published: Jun 04, 2024
• Modified: Jun 28, 2024
• Unreviewed

Nuclei allows unsigned code template execution through workflows in github.com/projectdiscovery/nuclei

• CVE-2023-51699, GHSA-wx8q-4gm9-rj2g
• Affects: github.com/fluid-cloudnative/fluid
• Published: Jun 04, 2024
• Unreviewed

Fluid vulnerable to OS Command Injection for Fluid Users with JuicefsRuntime in github.com/fluid-cloudnative/fluid

• CVE-2023-50726, GHSA-g623-jcgg-mhmm
• Affects: github.com/argoproj/argo-cd, github.com/argoproj/argo-cd/v2
• Published: Mar 22, 2024
• Modified: May 20, 2024

An improper validation bug allows users who have create privileges to sync a local manifest during application creation. This allows for bypassing the restriction that the manifests come from some approved git/Helm/OCI source.

• CVE-2024-27102, GHSA-494h-9924-xww9
• Affects: github.com/pterodactyl/wings
• Published: Jun 04, 2024
• Unreviewed

Pterodactyl Wings vulnerable to improper isolation of server file access in github.com/pterodactyl/wings

• CVE-2024-28236, GHSA-pwx5-6wxg-px5h
• Affects: github.com/go-vela/worker
• Published: Jun 04, 2024
• Unreviewed

Insecure Variable Substitution in Vela in github.com/go-vela/worker

• GHSA-95rx-m9m5-m94v
• Affects: github.com/cosmos/cosmos-sdk
• Published: May 10, 2024
• Modified: May 20, 2024

The default ValidateVoteExtensions helper function infers total voting power based on the injected VoteExtension, which are injected by the proposer. If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state. Additional validation on injected VoteExtension data was added to confirm voting power against the state machine.

• CVE-2024-28197, GHSA-mq4x-r2w3-j7mr
• Affects: github.com/zitadel/zitadel
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/zitadel/zitadel before v2.44.3, from v2.45.0 before v2.45.1.

• CVE-2024-2352, GHSA-x2vg-5wrf-vj6v
• Affects: github.com/1Panel-dev/1Panel
• Published: Jun 04, 2024
• Unreviewed

1Panel is vulnerable to command injection in github.com/1Panel-dev/1Panel

• CVE-2024-1952, GHSA-r4fm-g65h-cr54
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Aug 19, 2024
• Unreviewed

Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server

• CVE-2024-28122, GHSA-hj3v-m684-v259
• Affects: github.com/lestrrat-go/jwx, github.com/lestrrat-go/jwx/v2
• Published: May 20, 2024

An attacker with a trusted public key may cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the recipient, it results in significant memory allocation and processing time during decompression.

• CVE-2024-28180, GHSA-c5q2-7r4c-mv6g
• Affects: github.com/go-jose/go-jose/v4, github.com/go-jose/go-jose/v3, and 2 more
• Published: Mar 15, 2024
• Modified: May 20, 2024

An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti.

• CVE-2024-1442, GHSA-5mxf-42f5-j782
• Affects: github.com/grafana/grafana
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v8.5.0 before v9.5.7, from v10.0.0 before v10.0.12, from v10.1.0 before v10.1.8, from v10.2.0 before v10.2.5, from v10.3.0 before v10.3.4.

• CVE-2024-28110, GHSA-5pf6-2qwx-pxm2
• Affects: github.com/cloudevents/sdk-go/v2
• Published: Mar 11, 2024
• Modified: May 20, 2024

Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints. When the transport is populated with an authenticated transport, http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to any endpoint it is used to contact.

• CVE-2024-2048, GHSA-r3w7-mfpm-c2vw
• Affects: github.com/hashicorp/vault
• Published: Mar 14, 2024
• Modified: May 20, 2024

The TLS certificate authentication method incorrectly validates client certificates when configured with a non-CA certificate as a trusted certificate. When configured this way, attackers may be able to craft a certificate that can be used to bypass authentication.

• CVE-2024-24765, GHSA-h5gf-cmm8-cg7c
• Affects: github.com/IceWhaleTech/CasaOS-UserService
• Published: Mar 11, 2024
• Modified: May 20, 2024

The UserService API contains a path traversal vulnerability that allows an attacker to obtain any file on the system, including the user database and system configuration. This can lead to privilege escalation and compromise of the system.

• CVE-2024-24766, GHSA-c967-2652-gfjm
• Affects: github.com/IceWhaleTech/CasaOS-UserService
• Published: Mar 14, 2024
• Modified: May 20, 2024

CasaOS-UserService is vulnerable to a username enumeration issue, when an attacker can enumerate the CasaOS username using the application response. If the username is incorrect, the application gives the error 'User does not exist'. If the password is incorrect, the application gives the error 'Invalid password'.

• CVE-2024-24767, GHSA-c69x-5xmw-v44x
• Affects: github.com/IceWhaleTech/CasaOS-UserService
• Published: Mar 18, 2024
• Modified: May 20, 2024

The CasaOS web application does not have protection against password brute force attacks. An attacker can use a password brute force attack to find and gain full access to the server. This vulnerability allows attackers to get super user-level access over the server.

• CVE-2024-27288, GHSA-26w3-q4j8-4xjp
• Affects: github.com/1Panel-dev/1Panel
• Published: Mar 14, 2024
• Modified: May 20, 2024

If the user attempts to access a secure entry point and intercepts with Burp, they can get access to the console page. This access does not return data nor allow modification operations.

• CVE-2024-2056
• Affects: github.com/gvalkov/tailon
• Published: Jun 10, 2024
• Unreviewed

Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon

• CVE-2024-24786, GHSA-8r3f-844c-mc37
• Affects: google.golang.org/protobuf
• Published: Mar 05, 2024
• Modified: May 20, 2024

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

• CVE-2024-24785
• Affects: html/template
• Published: Mar 05, 2024
• Modified: May 20, 2024

If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

• CVE-2024-24784
• Affects: net/mail
• Published: Mar 05, 2024
• Modified: May 20, 2024

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

• CVE-2024-27916, GHSA-v627-69v2-xx37
• Affects: github.com/stacklok/minder
• Published: Mar 11, 2024
• Modified: May 20, 2024

A Minder user can use the endpoints to access any repository in the DB, irrespective of who owns the repo and any permissions that user may have. The DB query used checks by repo owner, repo name and provider name (which is always "github"). These query values are not distinct for the particular user, as long as the user has valid credentials and a provider, they can set the repo owner/name to any value they want and the server will return information on this repo. DeleteRepositoryByName uses the same query and a user can delete another user's repo using this technique. The GetArtifactByName endpoint also uses this DB query.

• CVE-2024-27304, GHSA-mrww-27vc-gghv, and 1 more
• Affects: github.com/jackc/pgproto3/v2, github.com/jackc/pgx, and 2 more
• Published: Mar 14, 2024
• Modified: Sep 13, 2024

An integer overflow in the calculated message size of a query or bind message could allow a single large message to be sent as multiple messages under the attacker's control. This could lead to SQL injection if an attacker can cause a single query or bind message to exceed 4 GB in size.

• CVE-2024-27289, GHSA-m7wr-2xf7-cm9p
• Affects: github.com/jackc/pgx, github.com/jackc/pgx/v4
• Published: Mar 11, 2024
• Modified: Sep 13, 2024

SQL injection is possible when the database uses the non-default simple protocol, a minus sign directly precedes a numeric placeholder followed by a string placeholder on the same line, and both parameter values are user-controlled.

• CVE-2024-27302, GHSA-fgxv-gw55-r5fq
• Affects: github.com/zeromicro/go-zero
• Published: Mar 11, 2024
• Modified: May 20, 2024

The CORS Filter feature in go-zero allows users to specify an array of domains allowed in the CORS policy. However, the isOriginAllowed function uses strings.HasSuffix to check the origin, which can lead to a bypass via a domain like "evil-victim.com". This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and retrieve data on behalf of other users.

• CVE-2024-27918, GHSA-7cc2-r658-7xpf
• Affects: github.com/coder/coder, github.com/coder/coder/v2
• Published: Mar 11, 2024
• Modified: May 20, 2024

A vulnerability in Coder's OIDC authentication could allow an attacker to bypass the CODER_OIDC_EMAIL_DOMAIN verification and create an account with an email not in the allowlist. Deployments are only affected if the OIDC provider allows users to create accounts on the provider (such as public providers like google.com). During OIDC registration, the user's email was improperly validated against the allowed CODER_OIDC_EMAIL_DOMAINs.

• CVE-2023-45289
• Affects: net/http, net/http/cookiejar
• Published: Mar 05, 2024
• Modified: May 20, 2024

When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded.

• CVE-2023-45290
• Affects: net/textproto
• Published: Mar 05, 2024
• Modified: May 20, 2024

When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.

• CVE-2024-24783
• Affects: crypto/x509
• Published: Mar 05, 2024
• Modified: May 20, 2024

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

• CVE-2024-27101, GHSA-h3m7-rqc4-7h9p
• Affects: github.com/authzed/spicedb
• Published: Jun 04, 2024
• Unreviewed

Integer overflow in chunking helper causes dispatching to miss elements or panic in github.com/authzed/spicedb

• CVE-2024-23488, GHSA-xgxj-j98c-59rv
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1953, GHSA-vm9m-57jr-4pxh
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1888, GHSA-pfw6-5rx3-xh3c
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1942, GHSA-hwjf-4667-gqwx
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1887, GHSA-fx48-xv6q-6gp3
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-23493, GHSA-7v3v-984v-h74r
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-24988, GHSA-6mx3-9qfh-77gj
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2024-1949, GHSA-3g35-v53r-gpxc
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost race condition in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.9.

• CVE-2022-45786, GHSA-6p5q-h963-pwwf
• Affects: github.com/apache/age/drivers/golang
• Published: Mar 04, 2024
• Modified: May 20, 2024

SQL injection in github.com/apache/age/drivers/golang

• GHSA-86h5-xcpx-cfqc
• Affects: github.com/cosmos/cosmos-sdk
• Published: Mar 05, 2024
• Modified: May 20, 2024

Slashing evasion in github.com/cosmos/cosmos-sdk

• GHSA-x5r5-2qrx-rqj8
• Affects: github.com/edgelesssys/marblerun
• Published: Mar 04, 2024
• Modified: May 20, 2024

Encryption bypass in github.com/edgelesssys/marblerun

• CVE-2024-27093, GHSA-q6h8-4j2v-pjg4
• Affects: github.com/stacklok/minder
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Minder trusts client-provided mapping from repo name to upstream ID in github.com/stacklok/minder. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/stacklok/minder before v0.20240226.1425.

• GHSA-fvv5-h29g-f6w5
• Affects: github.com/treeverse/lakefs
• Published: Jun 04, 2024
• Unreviewed

User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs

• CVE-2024-26578, GHSA-9q24-hwmc-797x
• Affects: github.com/apache/incubator-answer
• Published: Jun 04, 2024
• Unreviewed

Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer

• CVE-2024-22393, GHSA-rmqp-mvv2-54c6
• Affects: github.com/apache/incubator-answer
• Published: Jun 04, 2024
• Unreviewed

Apache Answer Unrestricted Upload of File with Dangerous Type vulnerability in github.com/apache/incubator-answer

• CVE-2024-23349, GHSA-8pf2-qj4v-fj64
• Affects: github.com/apache/incubator-answer
• Published: Jun 04, 2024
• Unreviewed

Apache Answer Cross-site Scripting vulnerability in github.com/apache/incubator-answer

• CVE-2024-1485, GHSA-84xv-jfrm-h4gm
• Affects: github.com/devfile/registry-support/registry-library
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

registry-support: decompress can delete files outside scope via relative paths in github.com/devfile/registry-support/registry-library. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/devfile/registry-support/registry-library before v0.0.0-20240206.

• CVE-2024-26147, GHSA-r53h-jv2g-vpx6
• Affects: helm.sh/helm/v3
• Published: Jun 04, 2024
• Modified: Jul 01, 2024

Helm's Missing YAML Content Leads To Panic in helm.sh/helm/v3

• CVE-2024-25124, GHSA-fmg4-x8pw-hjhg
• Affects: github.com/gofiber/fiber/v2
• Published: May 20, 2024

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

• GHSA-4j93-fm92-rp4m
• Affects: github.com/cosmos/cosmos-sdk
• Published: May 28, 2024
• Modified: Jul 01, 2024

Missing BlockedAddressed Validation in Vesting Module in github.com/cosmos/cosmos-sdk

• GHSA-2557-x9mg-76w8
• Affects: github.com/cosmos/cosmos-sdk
• Published: May 22, 2024
• Modified: May 23, 2024

Invalid block proposal in github.com/cosmos/cosmos-sdk

• CVE-2024-25631, GHSA-x989-52fc-4vr4
• Affects: github.com/cilium/cilium
• Published: Jun 04, 2024
• Modified: Aug 19, 2024
• Unreviewed

Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium

• CVE-2024-25630, GHSA-7496-fgv9-xw82
• Affects: github.com/cilium/cilium
• Published: Jun 04, 2024
• Modified: Aug 19, 2024
• Unreviewed

Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium

• GHSA-fqpg-rq76-99pq
• Affects: github.com/jackc/pgx/v5
• Published: Jul 02, 2024
• Modified: Jul 09, 2024

Pipeline can panic when PgConn is busy or closed.

• CVE-2024-24776, GHSA-r833-w756-h5p2
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

• CVE-2024-21495, GHSA-c7vf-m394-m4x4
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Use of Insufficiently Random Values in github.com/greenpau/caddy-security

• CVE-2024-21493, GHSA-8h95-jcp5-pjpr
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Improper Validation of Array Index in github.com/greenpau/caddy-security

• CVE-2024-21500, GHSA-vfph-hjfv-cpv2
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Improper Restriction of Excessive Authentication Attempts in github.com/greenpau/caddy-security

• CVE-2024-21499, GHSA-r969-783f-6jqr
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Improper Neutralization of HTTP Headers in github.com/greenpau/caddy-security

• CVE-2024-21498, GHSA-93x8-66j2-wwr5
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Server-Side Request Forgery in github.com/greenpau/caddy-security

• CVE-2024-21497, GHSA-8hp3-rmr7-xh88
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Open Redirect in github.com/greenpau/caddy-security

• CVE-2024-21496, GHSA-ff72-ff42-c3gw
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Cross-site Scripting in github.com/greenpau/caddy-security

• CVE-2024-21494, GHSA-vj36-3ccr-6563
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Authentication Bypass by Spoofing in github.com/greenpau/caddy-security

• CVE-2024-21492, GHSA-vp66-gf7w-9m4x
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

Insufficient Session Expiration in github.com/greenpau/caddy-security

• CVE-2024-23448, GHSA-8r33-q5j5-rh7g
• Affects: github.com/elastic/apm-server
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/elastic/apm-server before v8.12.1.

• CVE-2024-25620, GHSA-v53g-5gjp-272r
• Affects: helm.sh/helm/v3
• Published: Feb 29, 2024
• Modified: May 20, 2024

Path traversal in helm.sh/helm/v3

• CVE-2020-7924, GHSA-6cwm-wm82-hgrw
• Affects: github.com/mongodb/mongo-tools
• Published: Jun 28, 2024
• Modified: Jul 09, 2024

Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates. NOTE: this module uses its own versioning scheme that is not fully compatible with standard Go module versioning, so the affected versions in this report may differ from the versions listed in other advisories. According to the advisory, the affected versions are as follows: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

• CVE-2023-52430, GHSA-xwmv-cx7p-fqfc
• Affects: github.com/greenpau/caddy-security
• Published: Jun 28, 2024
• Unreviewed

caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security

• CVE-2024-1402, GHSA-32h7-7j94-8fc2
• Affects: github.com/mattermost/mattermost-server, github.com/mattermost/mattermost-server/v5, and 2 more
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost/server/v8 before v8.1.8.

• CVE-2024-24774, GHSA-qr8f-cjw7-838m
• Affects: github.com/mattermost/mattermost-plugin-jira
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/mattermost/mattermost-plugin-jira before v4.0.0-rc1.

• CVE-2024-23319, GHSA-4fp6-574p-fc35
• Affects: github.com/mattermost/mattermost-plugin-jira
• Published: Mar 18, 2024
• Modified: Jul 09, 2024

Cross-site request forgery via logout button in github.com/mattermost/mattermost-plugin-jira

• CVE-2024-1329, GHSA-c866-8gpw-p3mv
• Affects: github.com/hashicorp/nomad
• Published: Mar 04, 2024
• Modified: May 20, 2024

Symlink attack in github.com/hashicorp/nomad

• CVE-2023-22649, GHSA-xfj7-qf8w-2gcr
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher 'Audit Log' leaks sensitive information in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.6.0 before v2.6.14, from v2.7.0 before v2.7.10, from v2.8.0 before v2.8.2.

• CVE-2023-32193, GHSA-r8f4-hv23-6qp6
• Affects: github.com/rancher/norman
• Published: Feb 20, 2024
• Modified: May 20, 2024

Cross-site scripting in public API in github.com/rancher/norman

• CVE-2023-32194, GHSA-c85r-fwc7-45vc
• Affects: github.com/rancher/rancher
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Rancher permissions on 'namespaces' in any API group grants 'edit' permissions on namespaces in 'core' in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/rancher/rancher from v2.6.0 before v2.6.14, from v2.7.0 before v2.7.10, from v2.8.0 before v2.8.2.

• CVE-2023-32192, GHSA-833m-37f7-jq55
• Affects: github.com/rancher/apiserver
• Published: Feb 15, 2024
• Modified: May 20, 2024

Unauthenticated cross-site scripting in github.com/rancher/apiserver

• CVE-2024-1052, GHSA-vh73-q3rw-qx7w
• Affects: github.com/hashicorp/boundary
• Published: Jun 28, 2024
• Unreviewed

Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary

• CVE-2024-24768, GHSA-9xfw-jjq2-7v8h
• Affects: github.com/1Panel-dev/1Panel
• Published: Jun 28, 2024
• Unreviewed

1Panel set-cookie is missing the Secure keyword in github.com/1Panel-dev/1Panel

• GHSA-vjg6-93fv-qv64
• Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Etcd auth Inaccurate logging of authentication attempts for users with CN-based auth only in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

• GHSA-pm3m-32r3-7mfh
• Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Etcd embed auto compaction retention negative value causing a compaction loop or a crash in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

• GHSA-j86v-2vjr-fg8f
• Affects: go.etcd.io/etcd, go.etcd.io/etcd/v3
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Etcd Gateway TLS endpoint validation only confirms TCP reachability in go.etcd.io/etcd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: go.etcd.io/etcd/v3 before v3.3.23, from v3.4.0-rc.0 before v3.4.10.

• GHSA-5x4g-q5rc-36jp
• Affects: go.etcd.io/etcd
• Published: Jun 28, 2024
• Modified: Jul 09, 2024

The TLS ciphers list supported by etcd contains insecure cipher suites. Users may specify that an insecure cipher is used via “--cipher-suites” flag. A list of secure suites is used by default.

• CVE-2020-11110, GHSA-xr3x-62qw-vc4w
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana stored XSS in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v6.7.2.

• CVE-2019-14271, GHSA-v2cv-wwxq-qq97
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 28, 2024
• Modified: Jul 15, 2024

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

• CVE-2020-24303, GHSA-mvpr-q6rh-8vrp
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.1.0-beta1.

• CVE-2020-12459, GHSA-m25m-5778-fm22
• Affects: github.com/grafana/grafana
• Published: Jul 02, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana world readable configuration files in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana from v6.0.0 before v7.2.1.

• CVE-2020-12245, GHSA-ccmg-w4xm-p28v
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana XSS in header column rename in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v6.7.3.

• CVE-2018-18624, GHSA-9hv8-4frf-cprf
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana XSS via a column style in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.0.0.

• CVE-2020-13430, GHSA-7m2x-qhrq-rp8h
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.0.0.

• CVE-2020-25816, GHSA-57gg-cj55-q5g2
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

Token leases could outlive their TTL in HashiCorp Vault in github.com/hashicorp/vault

• CVE-2020-12458, GHSA-3jq7-8ph8-63xm
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Grafana information disclosure in github.com/grafana/grafana. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/grafana/grafana before v7.2.1.

• CVE-2024-24557, GHSA-xw73-rw38-6vjc
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 28, 2024
• Modified: Jul 01, 2024

Classic builder cache poisoning in github.com/docker/docker

• CVE-2024-0831, GHSA-vgh3-mwxq-rcp8
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

Hashicorp Vault may expose sensitive log information in github.com/hashicorp/vault

• CVE-2018-12099, GHSA-v5gq-qvjq-8p53
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Unreviewed

Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

• CVE-2021-3282, GHSA-rq95-xf66-j689
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

Improper Authentication in HashiCorp Vault in github.com/hashicorp/vault

• CVE-2020-35177, GHSA-rpgp-9hmg-j25x
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault

• CVE-2020-28053, GHSA-6m72-467w-94rh
• Affects: github.com/hashicorp/consul
• Published: Jun 28, 2024
• Unreviewed

Privilege Escalation in HashiCorp Consul in github.com/hashicorp/consul

• CVE-2020-25201, GHSA-496g-fr33-whrf
• Affects: github.com/hashicorp/consul
• Published: Jun 28, 2024
• Unreviewed

Denial of service in HashiCorp Consul in github.com/hashicorp/consul

• CVE-2021-41091, GHSA-3fwx-pjgw-3558
• Affects: github.com/docker/docker, github.com/moby/moby
• Published: Jun 28, 2024
• Modified: Jul 01, 2024

Moby (Docker Engine) Insufficiently restricted permissions on data directory in github.com/docker/docker

• CVE-2024-24747, GHSA-xx8w-mq23-29g4
• Affects: github.com/minio/minio
• Published: Jun 28, 2024
• Unreviewed

Minio unsafe default: Access keys inherit `admin` of root user, allowing privilege escalation in github.com/minio/minio

• CVE-2024-23653, GHSA-wr6v-9f75-vh2g
• Affects: github.com/moby/buildkit
• Published: Feb 07, 2024
• Modified: May 20, 2024

BuildKit provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.

• CVE-2023-44312, GHSA-r8xp-52mq-rmm8
• Affects: github.com/apache/servicecomb-service-center
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Apache ServiceComb Service-Center Exposure of Sensitive Information to an Unauthorized Actor vulnerability in github.com/apache/servicecomb-service-center. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/apache/servicecomb-service-center before v2.2.0.

• CVE-2023-44313, GHSA-9xc9-xq7w-vpcr
• Affects: github.com/apache/servicecomb-service-center
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Apache ServiceComb Service-Center Server-Side Request Forgery vulnerability in github.com/apache/servicecomb-service-center. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/apache/servicecomb-service-center before v2.2.0.

• CVE-2024-23652, GHSA-4v98-7qmw-rqr8
• Affects: github.com/moby/buildkit
• Published: Feb 12, 2024
• Modified: May 20, 2024

A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.

• CVE-2024-23651, GHSA-m3r6-h7wv-7xxv
• Affects: github.com/moby/buildkit
• Published: Feb 13, 2024
• Modified: May 20, 2024

Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.

• CVE-2024-23650, GHSA-9p26-698r-w4hx
• Affects: github.com/moby/buildkit
• Published: Feb 12, 2024
• Modified: May 20, 2024

A malicious BuildKit client or frontend could craft a request that could lead to a BuildKit daemon crashing with a panic.

• CVE-2024-21626, GHSA-xr7r-f8xq-vfvv
• Affects: github.com/opencontainers/runc
• Published: Jun 28, 2024
• Modified: Jul 01, 2024

Container breakout through process.cwd trickery and leaked fds in github.com/opencontainers/runc

• CVE-2024-24579, GHSA-hpxr-w9w7-g4gv
• Affects: github.com/anchore/stereoscope
• Published: Feb 13, 2024
• Modified: May 20, 2024

It is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory.

• CVE-2020-16251, GHSA-4mp7-2m29-gqxf
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

HashiCorp Vault Authentication bypass in github.com/hashicorp/vault

• CVE-2020-10660, GHSA-m979-w9wj-qfj9
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

• CVE-2020-10661, GHSA-j6vv-vv26-rh7c
• Affects: github.com/hashicorp/vault
• Published: Jun 28, 2024
• Unreviewed

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

• CVE-2018-18625, GHSA-6wh2-8hw7-jw94
• Affects: github.com/grafana/grafana
• Published: Jun 28, 2024
• Unreviewed

Grafana XSS via adding a link in General feature in github.com/grafana/grafana

• CVE-2024-23840, GHSA-h3q2-8whx-c29h
• Affects: github.com/goreleaser/goreleaser
• Published: Feb 13, 2024
• Modified: May 20, 2024

Secret values can be printed to the --debug log when using a a custom publisher.

• CVE-2024-23827, GHSA-xvq9-4vpv-227m
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature in github.com/0xJacky/Nginx-UI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/0xJacky/Nginx-UI before v2.0.0-beta.12.

• CVE-2024-23828, GHSA-qcjq-7f7v-pvc8
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF in github.com/0xJacky/Nginx-UI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/0xJacky/Nginx-UI before v2.0.0-beta.12.

• CVE-2024-23647, GHSA-mrx3-gxjx-hjqj
• Affects: goauthentik.io
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Authentik vulnerable to PKCE downgrade attack in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: goauthentik.io before v2023.8.7, from v2023.10.0 before v2023.10.7.

• CVE-2023-52354, GHSA-g4x3-mfpj-f335
• Affects: blitiri.com.ar/go/chasquid
• Published: Jun 28, 2024
• Unreviewed

chasquid HTTP Request/Response Smuggling vulnerability in github.com/albertito/chasquid in blitiri.com.ar/go/chasquid

• CVE-2024-23820, GHSA-rxpw-85vw-fx87
• Affects: github.com/openfga/openfga
• Published: Jun 28, 2024
• Unreviewed

OpenFGA denial of service in github.com/openfga/openfga

• CVE-2024-23656, GHSA-gr79-9v6v-gc9r
• Affects: github.com/dexidp/dex
• Published: Jun 28, 2024
• Modified: Jul 09, 2024
• Unreviewed

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/dexidp/dex from v2.37.0 before v2.38.0.

• CVE-2024-23332, GHSA-57wx-m636-g3g8
• Affects: github.com/notaryproject/notation
• Published: Jun 28, 2024
• Unreviewed

Go package github.com/notaryproject/notation configured with permissive trust policies potentially susceptible to rollback attack from compromised registry

• GHSA-qr8r-m495-7hc4
• Affects: github.com/cometbft/cometbft
• Published: Jan 23, 2024
• Modified: May 20, 2024

A vulnerability in CometBFT’s validation logic for VoteExtensionsEnableHeight can result in a chain halt when triggered through a governance parameter change proposal on an ABCI2 Application Chain. If a parameter change proposal including a VoteExtensionsEnableHeight modification is passed, nodes running the affected versions may panic, halting the network.

• GHSA-f6jh-hvg2-9525
• Affects: github.com/kudelskisecurity/crystals-go
• Published: Jan 17, 2024
• Modified: Jun 03, 2024

Kyberslash timing attack possible in github.com/kudelskisecurity/crystals-go

• CVE-2022-3328, GHSA-cjqf-877p-7m3f
• Affects: github.com/snapcore/snapd
• Published: Jun 05, 2024
• Modified: Jul 09, 2024
• Unreviewed

snapd Race Condition vulnerability in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. (If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.) The additional affected modules and versions are: github.com/snapcore/snapd before v2.57.6.

• CVE-2023-49568, GHSA-mw99-9chc-xw7r
• Affects: gopkg.in/src-d/go-git.v4, github.com/go-git/go-git/v5
• Published: Jan 23, 2024
• Modified: May 20, 2024

Denial of service in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4

• CVE-2024-22197, GHSA-pxmr-q2x3-9x9m
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jan 17, 2024
• Modified: May 20, 2024

Remote command execution in github.com/0xJacky/Nginx-UI

• CVE-2024-22196, GHSA-h374-mm57-879c
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jan 17, 2024
• Modified: May 20, 2024

SQL injection in github.com/0xJacky/Nginx-UI

• CVE-2024-22198, GHSA-8r25-68wm-jw35
• Affects: github.com/0xJacky/Nginx-UI
• Published: Jan 30, 2024
• Modified: May 20, 2024

Arbitrary command execution in github.com/0xJacky/Nginx-UI

• CVE-2024-22199, GHSA-4mq2-gc4j-cmw6
• Affects: github.com/gofiber/template/django/v3
• Published: Jan 17, 2024
• Modified: May 20, 2024

Cross-site scripting in github.com/gofiber/template/django/v3

• CVE-2023-49295, GHSA-ppxx-5m9h-6vxf
• Affects: github.com/quic-go/quic-go
• Published: Jan 23, 2024
• Modified: May 20, 2024

Denial of service via path validation in github.com/quic-go/quic-go

• CVE-2023-6476, GHSA-p4rx-7wvg-fwrc
• Affects: github.com/cri-o/cri-o
• Published: Jun 28, 2024
• Unreviewed

CRI-O's pods can break out of resource confinement on cgroupv2 in github.com/cri-o/cri-o

• CVE-2023-49619, GHSA-f899-4mr4-fqpv
• Affects: github.com/apache/incubator-answer
• Published: Jun 28, 2024
• Unreviewed

Apache Answer Race Condition vulnerability in github.com/apache/incubator-answer

• CVE-2023-49569, GHSA-449p-3h89-pw88
• Affects: gopkg.in/src-d/go-git.v4, github.com/go-git/go-git/v5
• Published: Jan 23, 2024
• Modified: May 20, 2024

Path traversal and RCE in github.com/go-git/go-git/v5 and gopkg.in/src-d/go-git.v4