GO-2023-2028 OpenFGA Authorization Bypass in github.com/openfga/openfga

OpenFGA Authorization Bypass in github.com/openfga/openfga...

GO-2023-2022 Netmaker has Hardcoded DNS Secret Key in github.com/gravitl/netmaker

Netmaker has Hardcoded DNS Secret Key in github.com/gravitl/netmaker...

GO-2023-2012 lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs

lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files in github.com/treeverse/lakefs...

GO-2023-1957 KubePi may leak password hash of any user in github.com/KubeOperator/kubepi

KubePi may leak password hash of any user in github.com/KubeOperator/kubepi...

GO-2023-1850 HashiCorp Consul can use cleartext agent-to-agent RPC communication in github.com/hashicorp/consul

HashiCorp Consul can use cleartext agent-to-agent RPC communication in github.com/hashicorp/consul...

GO-2023-1747 Hop-by-hop abuse to malform header mutator in github.com/ory/oathkeeper

Hop-by-hop abuse to malform header mutator in github.com/ory/oathkeeper...

GO-2023-1658 Answer vulnerable to Business Logic Errors in github.com/answerdev/answer

Answer vulnerable to Business Logic Errors in github.com/answerdev/answer...

GO-2023-1542 Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following in github.com/pterodactyl/wings

Pterodactyl Wings contains UNIX Symbolic Link Symlink Following in github.com/pterodactyl/wings...

GO-2023-1388 Gitops Run insecure communication in github.com/weaveworks/weave-gitops

Gitops Run insecure communication in github.com/weaveworks/weave-gitops...

A refresher on Talos’ open-source tools and the importance of the open-source community

Open-source software that is free to download, deploy and modify is a vital component in the fight for cyber security. Freely available software not only helps defend systems that would otherwise be unprotected, but it also allows people to learn and develop vital cybersecurity skills. In this...

GO-2024-3010 CVE-2024-6984 in github.com/juju/juju

CVE-2024-6984 in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report. The...

GO-2024-3029 Navidrome uses MD5 hashing algorithm in github.com/navidrome/navidrome

Navidrome uses MD5 hashing algorithm in github.com/navidrome/navidrome...

North Korean Hackers Moonstone Sleet Push Malicious JS Packages to npm Registry

The North Korea-linked threat actor known as Moonstone Sleet has continued to push malicious npm packages to the JavaScript package registry with the aim of infecting Windows systems, underscoring the persistent nature of their campaigns. The packages in question, harthat-api and harthat-hash, we...

Exploit for CVE-2024-39700

CVE-2024-39700 Proof of Concept Repositories created using th...

Denial Of Service (DoS)

github.com/argoproj/argo-cd is vulnerable to Denial of Service DoS. The vulnerability is due to insufficient input validation and resource management for large JSON payloads at the /api/webhook endpoint, which results in excessive memory allocation and triggers an Out Of Memory OOM kill, causing...

CVE-2024-39887

creationtimestamp| type| source ---|---|--- 2024-07-16 12:55:40+00:00| seen| https://t.me/cvedetector/926 2024-12-09 16:22:14+00:00| seen| https://t.me/cvedetector/12393 2024-12-11 15:19:16+00:00| confirmed|...

Improper Access Control

github.com/project-zot/zot is vulnerable to Improper Access Control. The vulnerability is due to improper access control enforcement when deduplication is enabled. An attacker can read blobs both config and layers by digest from repositories they do not have access to by exploiting the global cac...

CVE-2024-6433

The application zips all the files in the folder specified by the user, which allows an attacker to read arbitrary files on the system by providing a crafted path. This vulnerability can be exploited by sending a request to the application with a malicious snapshotpath parameter...

CVE-2024-6433 Local File Inclusion in stitionai/devika

The application zips all the files in the folder specified by the user, which allows an attacker to read arbitrary files on the system by providing a crafted path. This vulnerability can be exploited by sending a request to the application with a malicious snapshotpath parameter...

Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories

Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and persistent" supply chain attack. "This attack stands out due to the high variability across packages," Phylum said in an analysis...