Important: nerdctl

Issue Overview: Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to...

Important: containerd

Issue Overview: Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to...

Amazon Linux 2023 : runfinch-finch (ALAS2023-2025-834)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-834 advisory. 2025-02-11: CVE-2024-45338 was added to this advisory. 2025-02-11: CVE-2024-51744 was added to this advisory. Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback...

Important: runfinch-finch

Issue Overview: Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to...

USN-7250-1: Netdata vulnerabilities

It was discovered that Netdata incorrectly handled parsing JSON input, which could lead to a JSON injection. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. CVE-2018-18836 It was discovered that Netdata incorrectly handled parsing HT...

USN-7250-1 netdata vulnerabilities

It was discovered that Netdata incorrectly handled parsing JSON input, which could lead to a JSON injection. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. CVE-2018-18836 It was discovered that Netdata incorrectly handled parsing HT...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.10 : Netdata vulnerabilities (USN-7250-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7250-1 advisory. It was discovered that Netdata incorrectly handled parsing JSON input, which could lead to a JSON injection. An attacker...

Authorization Bypass

golang.org/x/crypto is vulnerable to Authorization Bypass. The vulnerability is due to improper handling of public key authentication callbacks where the order or reuse of keys in the callback can lead to incorrect authorization decisions, allowing attackers to exploit misused APIs or assumptions...

CBL Mariner 2.0 Security Update: cert-manager / cf-cli / docker-buildx / docker-compose / moby-compose / moby-engine / packer (CVE-2024-45337)

The version of cert-manager / cf-cli / docker-buildx / docker-compose / moby-compose / moby-engine / packer installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-45337 advisory. - Applications and...

CVE-2024-45337

Applications and libraries which misuse connection.serverAuthenticate via callback field ServerConfig.PublicKeyCallback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is...

UBUNTU-CVE-2024-45337

Applications and libraries which misuse connection.serverAuthenticate via callback field ServerConfig.PublicKeyCallback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is...

GHSA-V778-237X-GJRC Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate."...

CVE-2024-45337

Applications and libraries which misuse connection.serverAuthenticate via callback field ServerConfig.PublicKeyCallback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is...

CVE-2024-47125

The goTenna Pro App does not authenticate public keys which allows an unauthenticated attacker to manipulate messages. It is advised to update your app to the current release for enhanced encryption protocols...

CVE-2024-47125

CVE-2024-47125 affects goTenna Pro App (versions up to 1.6.1). The underlying issue is improper authentication of public keys, allowing an unauthenticated attacker to manipulate messages (attack vector: adjacent, low complexity, no user interaction). MITRE details in ICS/Red Hat/NVD entries corro...

EulerOS Virtualization 2.12.1 : openssh (EulerOS-SA-2024-2313)

According to the versions of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without...

EulerOS Virtualization 2.12.0 : openssh (EulerOS-SA-2024-2333)

According to the versions of the openssh packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without...

SSH Username Enumeration

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'SSH Username Enumeration', 'Description' = %q This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The...

Huawei EulerOS: Security Advisory for openssh (EulerOS-SA-2024-2222)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EulerOS 2.0 SP12 : openssh (EulerOS-SA-2024-2222)

According to the versions of the openssh packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : An issue was discovered in OpenSSH before 8.9. If a client is using public-key authentication with agent forwarding but without -oLogLevel=verbos...