80 matches found
GHSA-WHQX-F9J3-CH6M vulnerabilities
Vulnerabilities for packages: policy-controller, kyverno-fips, flux-source-controller, goreleaser, cloudbeat, gitsign, teleport, falcoctl, image-factory-fips, kyverno-policy-reporter-plugins-kyverno, tkn, chainctl, kyverno, aactl, witness, kyverno-notation-aws-fips, policy-controller-fips,...
EUVD-2024-0363
Malicious code in bioql PyPI...
CVE-2025-54388 vulnerabilities
Vulnerabilities for packages: trufflehog-fips, splunk-otel-collector, opentelemetry-collector-contrib-fips, bootc-image-builder, cg, trivy, apko, buildkitd, goreleaser, tw, elastic-agent, osv-scanner, falcoctl, grype-fips, cadvisor, melange, k9s-fips, splunk-otel-collector-fips, syft-fips,...
GHSA-29WX-VH33-7X7R vulnerabilities
Vulnerabilities for packages: coredns, gitsign, kubescape, pulumi-kubernetes-operator, kubeflow-katib, terraform, wal-g, kubernetes, cluster-autoscaler, git-sync, goreleaser, vexctl, buildkitd, flux-source-controller, tkn, minio-operator, kubernetes-dashboard-auth, k3s, azcopy, atlantis, trivy,...
CVE-2024-51744 vulnerabilities
Vulnerabilities for packages: coredns, gitsign, kubescape, pulumi-kubernetes-operator, kubeflow-katib, terraform, wal-g, kubernetes, cluster-autoscaler, git-sync, goreleaser, vexctl, buildkitd, flux-source-controller, tkn, minio-operator, kubernetes-dashboard-auth, k3s, azcopy, atlantis, trivy,...
CVE-2024-35255 vulnerabilities
Vulnerabilities for packages: cortex, fulcio, sigstore-scaffolding, kubescape, wal-g, py3-azure-identity, airflow, hugo-extended, trino, cluster-autoscaler, datadog-agent, goreleaser, sqlpad, buildkitd, flux-source-controller, pulumi, step-ca, tkn, trivy, chezmoi, argo-workflows, velero, zot,...
GO-2024-2860 goreleaser shows environment by default in github.com/goreleaser/goreleaser
goreleaser shows environment by default in github.com/goreleaser/goreleaser...
goreleaser shows environment by default
Summary Since 4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment. PoC Create a Go project with dependencies, do not pull them yet or run goreleaser later in a container, or...
GHSA-F6MM-5FC7-3G3C vulnerabilities
Vulnerabilities for packages: goreleaser...
GHSA-F6MM-5FC7-3G3C vulnerabilities
Vulnerabilities for packages: goreleaser...
GHSA-F6MM-5FC7-3G3C goreleaser shows environment by default
Summary Since 4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the go build output is non-empty, goreleaser leaks the environment. PoC Create a Go project with dependencies, do not pull them yet or run goreleaser later in a container, or...
CVE-2024-28180 vulnerabilities
Vulnerabilities for packages: fulcio, sigstore-scaffolding, gitsign, kubescape, nerdctl, apko, slsa-verifier, kube-rbac-proxy, goreleaser, vexctl, step-ca, flux-source-controller, tkn, kubernetes-dashboard, melange, argo-workflows, zot, skopeo, temporal-ui-server, policy-controller,...
GHSA-XW73-RW38-6VJC vulnerabilities
Vulnerabilities for packages: ko-fips, kpt, k8sgpt, policy-controller, timoni, docker-credential-gcr, eksctl, trivy, skaffold, slsa-verifier, buildkitd, newrelic-infrastructure-agent, tekton-chains, goreleaser, gitsign, falcoctl, helm-fips, kubevela, pulumi, up, falco, cadvisor, k3s, bom, crane,...
CVE-2024-24557 vulnerabilities
Vulnerabilities for packages: ko-fips, kpt, k8sgpt, policy-controller, timoni, docker-credential-gcr, eksctl, trivy, skaffold, slsa-verifier, buildkitd, newrelic-infrastructure-agent, tekton-chains, goreleaser, gitsign, falcoctl, helm-fips, kubevela, pulumi, up, falco, cadvisor, k3s, bom, crane,...
SUSE CVE-2024-23840
GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. goreleaser release --debug log shows secret values used in the in the custom publisher. This vulnerability is fixed in 1.24.0...
Sensitive Information Into Log File
github.com/goreleaser/goreleaser is vulnerable to Information Exposure. The vulnerability is due to a flaw in the handling of debug logs WithField"env", c.Env which is used to log environment variables., The goreleaser release --debug command includes sensitive information such as secrets or...
CVE-2024-23840
A flaw was found in GoReleaser. This package log shows secret values that are supposed to be hidden when using --debug. Mitigation No mitigation is yet available for this vulnerability despite having control of the --debug and where the logs are located...
GHSA-H3Q2-8WHX-C29H vulnerabilities
Vulnerabilities for packages: goreleaser...
GHSA-H3Q2-8WHX-C29H `goreleaser release --debug` shows secrets
Summary Hello 👋 goreleaser release --debug log shows secret values used in the in the custom publisher. How to reproduce the issue: - Define a custom publisher as the one below. Make sure to provide a custom script to the cmd field and to provide a secret to env .goreleaser.yml publishers: - name...
GHSA-H3Q2-8WHX-C29H vulnerabilities
Vulnerabilities for packages: goreleaser...