GO-2024-3269 Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli

Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer in github.com/cli/cli...

GO-2024-3278 Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines

Stored XSS in Kubeflow Pipeline View in github.com/kubeflow/pipelines...

GO-2024-3273 CVE-2024-24426 in github.com/magma/magma

CVE-2024-24426 in github.com/magma/magma...

GO-2024-3272 CVE-2024-24425 in github.com/magma/magma

CVE-2024-24425 in github.com/magma/magma...

Directory Traversal

github.com/ollama/ollama is vulnerable to Directory Traversal. The vulnerability is due to path traversal in the api/push route, allowing attackers to confirm which files exist on the server...

GO-2024-3250 Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt

Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt...

GO-2024-3260 Devtron has SQL Injection in CreateUser API in github.com/devtron-labs/devtron

Devtron has SQL Injection in CreateUser API in github.com/devtron-labs/devtron...

GO-2024-3246 Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault

Hashicorp Vault vulnerable to denial of service through memory exhaustion in github.com/hashicorp/vault...

GO-2024-3245 Ollama Out-of-bounds Read in github.com/ollama/ollama

Ollama Out-of-bounds Read in github.com/ollama/ollama...

Gnark out-of-memory during deserialization with crafted inputs

Thanks @pventuzelo for reporting. From the correspondence: Hi, We Fuzzinglabs & Lambdaclass found that during deserialization of certain files representing a VerifyingKey, an excessive memory allocation is happening consuming a lot of resources and even triggering a crash with the error fatal...

GO-2024-3203 VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder

VM images built with Image Builder and Proxmox provider use default credentials in github.com/kubernetes-sigs/image-builder...

CVE-2024-44337

The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion v0.0.0-20240729232818-a2a9c4f, which corresponds with commit a2a9c4f76ef5a5c32108e36f7c47f8d310322252, there was a logical problem in the paragraph function of the...

CVE-2024-44337

The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion v0.0.0-20240729232818-a2a9c4f, which corresponds with commit a2a9c4f76ef5a5c32108e36f7c47f8d310322252, there was a logical problem in the paragraph function of the...

GO-2024-3196 Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory. in github.com/codeclysm/extract

Extract has insufficient checks allowing attacker to create symlinks outside the extraction directory. in github.com/codeclysm/extract...

CVE-2024-44337

The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion v0.0.0-20240729232818-a2a9c4f, which corresponds with commit a2a9c4f76ef5a5c32108e36f7c47f8d310322252, there was a logical problem in the paragraph function of the...

CVE-2024-44337

The CVE-2024-44337 entry affects the Go library github.com/gomarkdown/markdown. A logical flaw in the paragraph function of parser/block.go allowed a remote attacker to trigger an infinite loop, causing DoS by hangs and resource consumption. The issue existed prior to pseudoversion v0.0.0-2024072...

GO-2024-3163 Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle

Dozzle uses unsafe hash for passwords in github.com/amir20/dozzle. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an...

GO-2024-3174 Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju

Vulnerable juju hook tool abstract UNIX domain socket in github.com/juju/juju...

GO-2024-3161 Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher

Rancher agents can be hijacked by taking over the Rancher Server URL in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

GO-2024-3167 Golang FIPS OpenSSL has a Use of Uninitialized Variable vulnerability in github.com/golang-fips/openssl

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted...