15 matches found
Poking around in the Dark: Why a Shared Understanding of Components Matters
By listing the components included in an application, Software Bills of Materials SBOMs are intended to support the timely identification of vulnerable components and ensure the security of the software supply chain. However, we question the underlying assumption that there is agreement on the...
@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
Docker registry auth substring match forwards credentials to a different registry Repository cdxgen/cdxgen Affected product/package - Ecosystem: npm - Package: @cyclonedx/cdxgen - Reviewed tree version: 12.3.3 - Reviewed commit: b1e179869fd7c6032c3d483c3f7bd4d7154ec22b - Affected file:...
GHSA-QHH4-458H-XWH2 @cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
Docker registry auth substring match forwards credentials to a different registry Repository cdxgen/cdxgen Affected product/package - Ecosystem: npm - Package: @cyclonedx/cdxgen - Reviewed tree version: 12.3.3 - Reviewed commit: b1e179869fd7c6032c3d483c3f7bd4d7154ec22b - Affected file:...
Use of Incorrectly-Resolved Name or Reference
Overview @cyclonedx/cdxgen is a Creates CycloneDX Software Bill of Materials SBOM from source or container image Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference in path resolution performed in docker.js, before credential selection. An attacker wh...
@appium/base-driver (>=10.0.0 <=10.1.1), @breautek/storm (>=9.0.0 <=9.2.4) +77 more potentially affected by CVE-2025-13466 via body-parser (=2.2.0)
body-parser NPM version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on body-parser and may be impacted: - @appium/base-driver =10.0.0, =9.0.0, =3.8.8, =1.114.0, =11.8.0, =3.4.0, =11.0.19, =0.1.0, =8.13.0, =4.0.1, =1.0.0-beta.2, =0.0.1-beta.0,...
CVE-2024-50611
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
@herodevs/cli (>=1.0.0-beta.2 <=2.0.0-beta.4), @socketsecurity/cli (>=0.10.0 <=0.11.1) +2 more potentially affected by CVE-2024-50611 via @cyclonedx/cdxgen (>=10.11.0 <=11.11.0)
@cyclonedx/cdxgen NPM version =10.11.0, =1.0.0-beta.2, =0.10.0, =0.1.0, =1.3.0, =1.6.1 Source cves: CVE-2024-50611 Source advisory: OSV:GHSA-HXF3-VGPM-FV9P...
CycloneDX cdxgen may execute code contained within build-related files
CycloneDX cdxgen prior to 11.1.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
GHSA-HXF3-VGPM-FV9P CycloneDX cdxgen may execute code contained within build-related files
CycloneDX cdxgen prior to 11.1.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
CVE-2024-50611
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
CVE-2024-50611
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
CVE-2024-50611
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
CVE-2024-50611
CycloneDX cdxgen up to version 10.10.7 may execute code contained in build-related files (e.g., build.gradle.kts) when run against untrusted codebases. This is described as a design limitation rather than an implementation bug, with a similar issue to CVE-2022-24441. Affected software: CycloneDX ...
CVE-2024-50611
CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation,...
PT-2024-34357 · Node.Js +3 · Node.Js +3
Name of the Vulnerable Software and Affected Versions: CycloneDX cdxgen versions prior to 11.1.7 Description: The issue allows execution of code contained within build-related files, such as build.gradle.kts, when run against an untrusted codebase. This is similar to a previously identified issue...