25 matches found
GHSA-WFQX-GJRF-G28R Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag
Summary Crossplane allows package signature verification to be configured via the ImageConfig mechanism. When enabled, the package manager uses cosign to verify that packages are correctly signed before pulling and installing them. When a package is installed using a tag reference e.g., a semanti...
GHSA-JJRM-HR5F-673X Source controller: Improper path handling allows traversal
Impact An actor with the ability to influence the contents of a bucket referenced by a Bucket resource can cause source-controller to write fetched object data to paths outside the per-reconciliation working directory. The corruption surface is bounded by source-controller's own and downstream Fl...
Source controller: Improper path handling allows traversal
Impact An actor with the ability to influence the contents of a bucket referenced by a Bucket resource can cause source-controller to write fetched object data to paths outside the per-reconciliation working directory. The corruption surface is bounded by source-controller's own and downstream Fl...
CVE-2026-26275
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in httpsig-hyper prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro. Specifically, the comparison if matches!digest, expecteddigest treate...
CVE-2026-26275
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in httpsig-hyper prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro. Specifically, the comparison if matches!digest, expecteddigest treate...
CVE-2026-26275 httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in httpsig-hyper prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro. Specifically, the comparison if matches!digest, expecteddigest treate...
CVE-2026-26275 httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in httpsig-hyper prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro. Specifically, the comparison if matches!digest, expecteddigest treate...
CVE-2026-26275 httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in httpsig-hyper prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro. Specifically, the comparison if matches!digest, expecteddigest treate...
CVE-2026-26275
The CVE affects httpsig-hyper up to version 0.0.22, where Digest header verification could incorrectly succeed due to a misuse of Rust’s matches! macro, causing digest checks to pass even when the computed digest did not match the expected value. This could allow message body modifications to go ...
GHSA-7V42-G35V-XRCH Improper Digest Verification in httpsig-hyper May Allow Message Integrity Bypass
Impact An issue was discovered in httpsig-hyper where Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro. Specifically, the comparison: rust if matches!digest, expecteddigest treated expecteddigest as a pattern binding rather than a value comparison,...
PT-2026-20344
Name of the Vulnerable Software and Affected Versions httpsig-hyper versions prior to 0.0.23 Description The httpsig-hyper library contains an issue where Digest header verification could incorrectly succeed due to an incorrect use of Rust’s matches! macro. The comparison if matches!digest,...
EUVD-2026-1868
Cosign verification accepts any valid Rekor entry under certain conditions...
CVE-2026-22703
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor...
EUVD-2021-24326
Malware in sbrugna...
Astra Linux – Vulnerability in Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fixed the return value of applymicrocodeamd. When verifysha256digest fails, applymicrocodeamd should propagate the failure by returning false rather than -1, which is promoted to true...
CVE-2021-37847
crypto/digest.c in Pengutronix barebox through 2021.07.0 leaks timing information because memcmp is used during digest verification...
kernel: nvme-tcp: fix potential memory corruption in nvme_tcp_recv_pdu()
An unchecked buffer bounds flaw was found in the Linux kernel's NVMe TCP Fabrics driver. An attacker with the ability to send a crafted packet to an affected NVMe host could exploit this flaw to alter kernel memory, leading to an escalation of privileges or a compromise of system integrity or...
UBUNTU-CVE-2025-22047
In the Linux kernel, the following vulnerability has been resolved: x86/microcode/AMD: Fix applymicrocodeamd's return value When verifysha256digest fails, applymicrocodeamd should propagate the failure by returning false and not -1 which is promoted to true...
PT-2024-39992 · Regclient · Regclient
Name of the Vulnerable Software and Affected Versions: regclient versions prior to 0.7.1 Description: A malicious registry could return a different digest for a pinned manifest without detection. This issue affects the regclient, a Docker and OCI Registry Client in Go. Recommendations: For versio...
SUSE-SU-2024:2383-1 Security update for skopeo
This update for skopeo fixes the following issues: - CVE-2024-3727: Added missing image digest verification bsc1224123...