Lucene search
K

10 matches found

RedhatCVE
RedhatCVE
added 2026/01/27 9:15 p.m.8 views

CVE-2026-24117

A Server-Side Request Forgery SSRF flaw has been discovered in the Rekor transparency log tool. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can...

5.3CVSS5.7AI score0.00332EPSS
Exploits0References6
SUSE CVE
SUSE CVE
added 2026/01/24 12:24 a.m.7 views

SUSE CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS5.7AI score0.00332EPSS
Exploits0References4
Snyk
Snyk
added 2026/01/22 10:50 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /api/v1/index/retrieve endpoint. An attacker can scan internal network resources by sending GET requests to retrieve a public key. Since only GET requests are allowed for this endpoint, it is not...

6.9CVSS5.5AI score0.00332EPSS
Exploits0References2
OSV
OSV
added 2026/01/22 10:16 p.m.6 views

AZL-76446 CVE-2026-24117 affecting package cri-o 1.30.1-1

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS5.8AI score0.00332EPSS
Exploits0References1
OSV
OSV
added 2026/01/22 10:16 p.m.8 views

AZL-76608 CVE-2026-24117 affecting package skopeo 1.14.4-8

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS5.8AI score0.00332EPSS
Exploits0References1
NVD
NVD
added 2026/01/22 10:16 p.m.5 views

CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS0.00332EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/01/22 10:5 p.m.5 views

CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS5.5AI score0.00332EPSS
Exploits0References4Affected Software1
Debian CVE
Debian CVE
added 2026/01/22 10:5 p.m.8 views

CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS8.4AI score0.00332EPSS
Exploits0
CNNVD
CNNVD
added 2026/01/22 12:0 a.m.8 views

Rekor code issue vulnerabilities

Rekor is an open-source software developed by sigstore. It provides an immutable, tamper-proof ledger for metadata generated within the software project supply chain. Versions of Rekor prior to 1.4.3 contained code vulnerabilities. These vulnerabilities stemmed from the /api/v1/index/retrieve...

5.3CVSS7.4AI score0.00332EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2024/06/03 5:4 p.m.4 views

EAP: wildfly-elytron has a SSRF security issue

A flaw was found in JwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery SSRF vulnerabili...

7.3CVSS5.8AI score0.00778EPSS
Exploits0References7
Rows per page
Query Builder