GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: goreleaser, grafana-agent-operator, kserve-rest-proxy, kubernetes-csi-driver-hostpath, knative-client, newrelic-infrastructure-agent, mc, rclone, helm-mapkubeapis, hubble-ui, tailscale, vault-benchmark, golangci-lint, k8ssandra-client, kubescape, spqr, gitaly,...

Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...

GHSA-H9CX-XJG6-5V2W Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the authentication for Google OIDC tokens in the GCR Receiver webhook endpoint. An attacker can trigger unauthorized reconciliation of resources by presenting any valid Google-issued...

CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...

CVE-2025-65637 vulnerabilities

Vulnerabilities for packages: aws-flb-cloudwatch, docker-credential-gcr, aws-flb-firehose, gostatsd, kpt, neuvector-dbgen, kube-fluentd-operator, kubeflow, src-fingerprint, go-discover, hello-world-golang, smokescreen, sonobuoy, php-fpmexporter, aws-flb-kinesis, newrelic-nri-statsd,...

GHSA-4VQ8-7JFC-9CVP vulnerabilities

Vulnerabilities for packages: kyverno, amazon-ecs-agent-fips, neuvector-scanner-fips, portieris-fips, k3s, xeol-fips, lazydocker, amazon-cloudwatch-agent-operator-fips, falcoctl, tekton-pipelines-fips, telegraf, harbor-scanner-trivy, openbao-fips, falcoctl-fips, vault, opentelemetry-operator-fips...

GHSA-FGQ5-Q76C-GX78 vulnerabilities

Vulnerabilities for packages: kor, goreleaser, newrelic-infrastructure-agent, fq, govulncheck, configmap-reload, dockerize, shfmt, hubble-ui, litefs, tailscale, golangci-lint, rqlite, pulumi-kubernetes-operator, vite, mongo-tools, kubevela, argo-workflows, aws-flb-cloudwatch,...

GHSA-J6M3-GC37-6R6Q vulnerabilities

Vulnerabilities for packages: kor, goreleaser, newrelic-infrastructure-agent, fq, govulncheck, configmap-reload, dockerize, shfmt, hubble-ui, litefs, tailscale, golangci-lint, rqlite, pulumi-kubernetes-operator, vite, mongo-tools, kubevela, argo-workflows, aws-flb-cloudwatch,...

GHSA-XW73-RW38-6VJC vulnerabilities

Vulnerabilities for packages: pulumi, falcoctl, falcoctl-fips, k9s, loki, k8sgpt, cosign, skopeo, kots, slsa-verifier, helm-operator-fips, buildkitd, cert-manager-fips, helm-operator, scorecard, falco, istio-pilot-agent, rancher-machine, trivy, gitsign, up, flux-helm-controller, chartmuseum,...

CVE-2024-24557 vulnerabilities

Vulnerabilities for packages: pulumi, falcoctl, falcoctl-fips, k9s, loki, k8sgpt, cosign, skopeo, kots, slsa-verifier, helm-operator-fips, buildkitd, cert-manager-fips, helm-operator, scorecard, falco, istio-pilot-agent, rancher-machine, trivy, gitsign, up, flux-helm-controller, chartmuseum,...

Kubernetes Secrets of Fortune 500 Companies Exposed in Public Repositories

Cybersecurity researchers are warning of publicly exposed Kubernetes configuration secrets that could put organizations at risk of supply chain attacks. "These encoded Kubernetes configuration secrets were uploaded to public repositories," Aqua security researchers Yakir Kadkoda and Assaf Morag...

Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel

Google is warning of multiple threat actors sharing a public proof-of-concept PoC exploit that leverages its Calendar service to host command-and-control C2 infrastructure. The tool, called Google Calendar RAT GCR, employs Google Calendar Events for C2 using a Gmail account. It was first publishe...

new packages: gcr

An update is available for gcr. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list For detailed information on changes in this release, see the Rocky Enterprise...

PackageKit, accountsservice, adwaita, appstream, at, atk, baobab, bolt, brasero, cairo, cheese, clutter, compat, control, dconf, devhelp, ekiga, empathy, eog, evince, evolution, file, flatpak, folks, fontconfig, freetype, fribidi, fwupd, fwupdate, gcr, gdk, gdm, gedit, geoclue2, geocode, gjs, glade, glib, glib2, glibmm24, gnome, gnote, gobject, gom, google, grilo, gsettings, gspell, gssdp, gstreamer1, gtk, gtk3, gtksourceview3, gucharmap, gupnp, gvfs, harfbuzz, json, libappstream, libchamplain, libcroco, libgdata, libgee, libgepub, libgexiv2, libgnomekbd, libgovirt, libgtop2, libgweather, libgxps, libical, libmediaart, libosinfo, libpeas, librsvg2, libsecret, libsoup, libwayland, libwnck3, mozjs52, mutter, nautilus, openchange, osinfo, pango, poppler, python2, rest, rhythmbox, seahorse, shotwell, sushi, totem, upower, vala, valadoc, vino, vte, vte291, wayland, webkitgtk4, xdg, yelp, zenity security update

CentOS Errata and Security Advisory CESA-2018:3140 An update is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow

No description provided by source. $Id: licensegcr.rb 10892 2010-11-03 22:09:44Z mc $ This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit Framework web site for more information on licensing and terms of use...

CA License Software GCR Buffer Overflow (CVE-2005-0581)

Computer Associates implements a license server/client mechanism in most of its products to provide control over product licenses. The CA License package is a license management tool that allows CA customers to register and manage their product licenses on a computer network. Normally a license...

Computer Associates License Service GCR buffer overflow

Added: 07/28/2006 CVE: CVE-2005-0581 BID: 12705 OSVDB: 14389 Background The License service comes with most Computer Associatesproducts and exchanges license information over ports 10202/tcp and 10203/tcp. Problem A buffer overflow vulnerability in the processing of GCR messages allows remote...