CVE-2023-49568 Maliciously crafted Git server replies can cause DoS on go-git clients

A denial of service DoS vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using on...

CVE-2023-49568 Maliciously crafted Git server replies can cause DoS on go-git clients

A denial of service DoS vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using on...

CVE-2023-49568

A denial of service DoS vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using on...

GHSA-449P-3H89-PW88 Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients

Impact A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the...

Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients

Impact A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the...

Denial Of Service (DoS)

github.com/go-git/go-git is vulnerable to Denial of Service DoS. The vulnerability is due to improper bound checks. This issue can be exploited by an attacker via a specially crafted response from a Git server resulting in denial of service...

Maliciously crafted Git server replies can cause DoS on go-git clients

Impact A denial of service DoS vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications...

CVE-2023-43809

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the allow-keyless...

CVE-2023-43809 Soft Serve Public Key Authentication Bypass Vulnerability when Keyboard-Interactive SSH Authentication is Enabled

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the allow-keyless...

CVE-2023-43809

CVE-2023-43809 affects Soft Serve (Git server) prior to v0.6.2. The vulnerability stems from insufficient validation of the public-key step during the SSH handshake when keyboard-interactive authentication is enabled, allowing an unauthenticated, remote attacker to bypass public-key authenticatio...

CVE-2023-24828

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users or everyone if it allows self-registration may exploit this to elevate privilege to...

CVE-2023-24828 Use of Cryptographically Weak Pseudo-Random Number Generator in Onedev

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users or everyone if it allows self-registration may exploit this to elevate privilege to...

CVE-2023-24828 Use of Cryptographically Weak Pseudo-Random Number Generator in Onedev

Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users or everyone if it allows self-registration may exploit this to elevate privilege to...

CVE-2023-24828

CVE-2023-24828 affects Onedev (self-hosted Git Server with CI/CD and Kanban). The vulnerability arises from using a cryptographically weak PRNG to generate access tokens and password reset keys in versions prior to 7.9.12, which could allow normal users (or all users if self-registration is enabl...

@adobe/git-server (>=0.9.17 <=1.0.0), @adobe/helix-cli (>=0.3.0-SNAPSHOT.293 <=5.7.6) +34 more potentially affected by CVE-2022-22984 via snyk-python-plugin (>=1.0.0 <=1.24.0)

snyk-python-plugin NPM version =1.0.0, =0.9.17, =0.3.0-SNAPSHOT.293, =2.6.0, =1.0.5-SNAPSHOT.105, =0.0.4, =8.0.36, =5.0.22, =3.10.42, =0.0.70, =0.5.8, =3.2.4, =0.0.2, =0.0.11, =1.0.1 - @ericblade/quagga2-redux-middleware =1.0.1 and more Source cves: CVE-2022-22984 Source advisory:...

@adobe/git-server (>=1.0.1 <=1.0.5), @adobe/helix-cli (>=5.7.7 <=6.1.0) +34 more potentially affected by CVE-2022-22984 via @snyk/snyk-cocoapods-plugin (>=1.0.2 <=2.5.2)

@snyk/snyk-cocoapods-plugin NPM version =1.0.2, =1.0.1, =5.7.7, =2.16.1, =0.0.4, =8.0.36, =5.0.22, =3.10.42, =0.5.8, =3.2.4, =0.0.2, =0.0.8, =0.2.0, =1.20.0-alpha.11736.3, =1.24.0-alpha.1 and more Source cves: CVE-2022-22984 Source advisory: OSV:GHSA-4X6G-3CMX-W76R...

@adobe/git-server (>=0.9.18 <=1.0.5), @adobe/helix-cli (>=0.3.0-SNAPSHOT.293 <=6.1.0) +37 more potentially affected by CVE-2022-40764 via snyk-go-plugin (>=1.10.0 <=1.17.0)

snyk-go-plugin NPM version =1.10.0, =0.9.18, =0.3.0-SNAPSHOT.293, =2.6.0, =1.0.5-SNAPSHOT.105, =0.0.4, =8.0.36, =5.0.22, =3.10.42, =0.0.70, =0.5.8, =3.2.4, =0.0.2, =0.0.7, =0.2.0, =0.2.8 and more Source cves: CVE-2022-40764 Source advisory: OSV:GHSA-HPQJ-7CJ6-HFJ8...

CVE-2022-39206

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket e.g. /var/run/docker.sock on Linux is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daem...

CVE-2022-39208

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. All files in the /opt/onedev/sites/ directory are exposed and can be read by unauthenticated users. This directory contains all projects, including their bare git repos and build artifacts. This file disclosure vulnerability...

CVE-2022-39207

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the webserver in the same...