CVE-2024-45395 Unbounded loop over untrusted input can lead to endless data attack

sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to 0.6.1 when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, R...

CVE-2024-45395

Sigstore-go versions before 0.6.1 are vulnerable to an Endless data attack when verifying Sigstore Bundles containing large amounts of verifiable data (signed transparency log entries, RFC 3161 timestamps, attestation subjects). The issue causes high CPU usage and can disrupt verification process...

UBUNTU-CVE-2023-7250

A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection...

Cosign vulnerable to possible endless data attack from attacker-controlled registry

Summary Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is tha...

GHSA-VFP6-JRW2-99G9 Cosign vulnerable to possible endless data attack from attacker-controlled registry

Summary Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is tha...

CVE-2023-46737 Possible endless data attack from attacker-controlled registry in cosign

Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in...

CVE-2023-46737

CVE-2023-46737 affects Cosign, a sigstore signing tool for OCI containers. The root cause is that Cosign loops through all attestations fetched from a remote registry in pkg/cosign.FetchAttestations, allowing an attacker-controlled registry to return a high number of attestations or signatures an...

CVE-2023-46737 Possible endless data attack from attacker-controlled registry in cosign

Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in...

DEBIAN-CVE-2023-39515

Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored Cross-Site-Scripting XSS Vulnerability allows an authenticated user to poison data stored in the cacti's database. These data will be viewed by administrative cacti accounts an...

CVE-2023-39075

Renault Zoe EV 2021 automotive infotainment system versions 283C35202R to 283C35519R builds 11.10.2021 to 16.01.2023 allows attackers to crash the infotainment system by sending arbitrary USB data via a USB device...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS. A malicious client can cause an error against the destination's size limit, which would incorrectly be attributed to the destination rather than the client. This could allow an attacker to send large amounts of da...

CVE-2023-33958 Default `maxSignatureAttempts` in `notation verify` enables an endless data attack in notation

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. The...

Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack

Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...

The Importance of Managing Your Data Security Posture

Data security is reinventing itself. As new data security posture management solutions come to market, organizations are increasingly recognizing the opportunity to provide evidence-based security that proves how their data is being protected. But what exactly is data security posture, and how do...

The Importance of Managing Your Data Security Posture

Data security is reinventing itself. As new data security posture management solutions come to market, organizations are increasingly recognizing the opportunity to provide evidence-based security that proves how their data is being protected. But what exactly is data security posture, and how do...

CVE-2022-38472

An attacker could have abused XSLT error handling to associate attacker-controlled content with another origin which was displayed in the address bar. This could have been used to fool the user into submitting data intended for the spoofed origin. This vulnerability affects Thunderbird 102.2,...

Bentley Systems MicroStation 安全漏洞

Bentley MicroStation CONNECT is a Cad software platform for 2D and 3D design and drafting from Bentley Systems, U.S.A. An out-of-bounds write vulnerability exists in Bentley MicroStation CONNECT, which could be exploited by an attacker to trigger, via crafted data in a PN image an out-of-bounds...

Online Reviewer Management System 1.0 Cross Site Scripting

Exploit Title: Online Reviewer Management System Persistent Cross Site Scripting Exploit Author: th3d1gger Vendor Homepage: https://sourcecodester.com Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/reviewer0.zip Version: 1.0 Tested on Windows 10 @attack request...

CVE-2021-3151

i-doit before 1.16.0 is affected by Stored Cross-Site Scripting XSS issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via CMONITORINGCONFIGTITLE, SM2CMONITORINGCONFIGTITLE, CMONITORINGCONFIGPATH, SM2CMONITORINGCONFIGPATH, CMONITORINGCONFIGADDRESS, or...

openSUSE Security Update : hostapd (openSUSE-2018-1293)

hostapd was updated to fix following security issue : - CVE-2018-14526: Ignore unauthenticated encrypted EAPOL-Key data bsc1104205 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update...