GO-2024-3075 CVE-2024-7646 in github.com/kubernetes/ingress-nginx

CVE-2024-7646 in github.com/kubernetes/ingress-nginx. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the...

Missing Cryptographic Equivocation

github.com/cosmos/gaia is vulnerable to Missing Cryptographic Equivocation. The vulnerability is caused due to an issue in the Interchain Security ICS module that could result in the slashing of a validator for an "old" equivocation...

SQL injection in github.com/stashapp/stash

Stash up to v0.25.1 was discovered to contain a SQL injection vulnerability via the sort parameter...

GO-2024-3059 CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd

CosmWasm wasmd has large address count in ValidateBasic in github.com/CosmWasm/wasmd...

Authorization Bypass

github.com/openfga/openfga is vulnerable to Authorization Bypass. The vulnerability is due to improper handling of authorization logic with 'but not' and 'from' expressions and a userset, allowing an attacker to bypass authorization checks and gain unauthorized access to resources...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to resource exhaustion attack due to github.com/Cloudflare/cfssl ( CVE-2023-39533 )

Summary github.com/Cloudflare/cfssl is used by IBM Cloud Pak for Data. CVE-2023-39533. Vulnerability Details CVEID:CVE-2023-39533 DESCRIPTION: libp2p go-libp2p is vulnerable to a denial of service, caused by a flaw during the signature verification. By sending a specially crafted request using...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to denial of service due to github.com/docker/distribution ( CVE-2023-2253 )

Summary Go module github.com/docker/distribution is used by IBM Cloud Pak for Data. CVE-2023-2253. Vulnerability Details CVEID:CVE-2023-2253 DESCRIPTION: Distribution is vulnerable to a denial of service, caused by improper input validation by the /v2/catalog endpoint. By sending a specially...

Cross-site Scripting (XSS)

github.com/alexxit/go2rtc is vulnerable to DOM-based cross-site scripting XSS. The vulnerability is due to the lack of input sanitization when appending API data using innerHTML in the index page index.html, allowing an attacker to execute malicious scripts in the context of the go2rtc instance's...

GO-2024-3046 memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos

memos vulnerable to Server-Side Request Forgery in /api/resource in github.com/usememos/memos...

GO-2024-3050 Meshery SQL Injection vulnerability in github.com/layer5io/meshery

Meshery SQL Injection vulnerability in github.com/layer5io/meshery. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest a...

GO-2024-3025 Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server

Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server...

GO-2024-3026 casdoor's use of`ssh.InsecureIgnoreHostKey()` disables host key verification in github.com/casdoor/casdoor

casdoor's use ofssh.InsecureIgnoreHostKey disables host key verification in github.com/casdoor/casdoor...

GO-2024-3007 snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd

snapd failed to restrict writes to the $HOME/bin path in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners,...

GO-2024-3038 In regclient, pinned manifest digests may be ignored in github.com/regclient/regclient

In regclient, pinned manifest digests may be ignored in github.com/regclient/regclient...

GO-2024-3014 ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel

ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners,...

GO-2024-3037 APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server

APM Server vulnerable to Insertion of Sensitive Information into Log File in github.com/elastic/apm-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

GO-2024-3042 Podman vulnerable to memory-based denial of service in github.com/containers/podman

Podman vulnerable to memory-based denial of service in github.com/containers/podman...

GO-2024-3008 snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd

snapd failed to properly check the file type when extracting a snap in github.com/snapcore/snapd. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

TLS Certificate Verification Bypass

github.com/mickael-kerjean/filestash vulnerable to TLS certificate verification bypass. The vulnerability is due to insecure email verification code transmission, as TLS verification is being bypassed. Attackers can exploit this to intercept or tamper with email communications, potentially gainin...

GO-2024-3005 Moby authz zero length regression in github.com/moby/moby

Moby authz zero length regression in github.com/moby/moby...