72 matches found
CVE-2026-49835
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an...
CVE-2026-49835
CVE-2026-49835 affects Sigstore Timestamp Authority. The issue arises from the legacy wrapMetrics middleware, which records raw HTTP path and method as Prometheus labels for latency and request count, enabling an unauthenticated attacker to issue requests with arbitrary paths/methods and create u...
CVE-2026-49835 Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an...
CVE-2026-49835 Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an...
CVE-2026-49835
A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of...
GO-2026-5851 Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality in github.com/sigstore/timestamp-authority
Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality in github.com/sigstore/timestamp-authority...
SUSE SLED15: docker / docker-bash-completion / docker-buildx / etc (SUSE-SU-2026:2692-1)
The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2692-1 advisory. This update for docker fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in...
openSUSE 16: docker / docker-bash-completion / docker-buildx / etc (openSUSE-SU-2026:21060-1)
The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:21060-1 advisory. This update for docker fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad...
Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality
Impact An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server. This vulnerability exists because the global wrapMetrics middleware records the raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency a...
GO-2026-5763 Sigstore Timestamp Authority has Improper Certificate Validation in verifier in github.com/sigstore/timestamp-authority
Sigstore Timestamp Authority has Improper Certificate Validation in verifier in github.com/sigstore/timestamp-authority...
SUSE-SU-2026:22285-1 Security update for docker
This update for docker fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265782. - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass...
OPENSUSE-SU-2026:20809-1 Security update for trivy
This update for trivy fixes the following issues - CVE-2025-64702: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS bsc1255366. - CVE-2025-69725: github.com/go-chi/chi/v5: incorrect input validation in the RedirectSlashes function can lead to an open redirect bsc1258513...
JLSEC-2026-220 The X.509 GeneralName type is a generic type for representing different types of names. One of...
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERALNAMEcmp which compares different instances of a GENERALNAME to see if they are equal or not. This function behaves incorrect...
SUSE CVE-2026-39984
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-specific constraint...
CVE-2026-39984
A flaw was found in timestamp-authority, specifically in the timestamp-authority/v2/pkg/verification package. An attacker can exploit this issue by prepending a forged certificate to the certificate bag while the message is signed with an authorized key. This causes the library to validate the...
CVE-2026-39984
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-specific constraint...
DEBIAN-CVE-2026-39984
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-specific constraint...
UBUNTU-CVE-2026-39984
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-specific constraint...
Sigstore Timestamp Authority 安全漏洞
Sigstore Timestamp Authority is an open-source RFC3161 timestamp authorization software developed by sigstore. Versions of Sigstore Timestamp Authority 2.0.5 and earlier contained security vulnerabilities. These vulnerabilities stemmed from issues with the VerifyTimestampResponse function, which...
CVE-2026-39984
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-specific constraint...