CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

GO-2024-2532 Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary

Boundary vulnerable to session hijacking through TLS certificate tampering in github.com/hashicorp/boundary...

GO-2024-2445 Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

GO-2024-2476 Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex

Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers in github.com/dexidp/dex. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...

GO-2024-2549 caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security

caddy-security plugin for Caddy vulnerable to reflected Cross-site Scripting in github.com/greenpau/caddy-security...

GO-2024-2488 HashiCorp Vault Authentication bypass in github.com/hashicorp/vault

HashiCorp Vault Authentication bypass in github.com/hashicorp/vault...

GO-2024-2512 Classic builder cache poisoning in github.com/docker/docker

Classic builder cache poisoning in github.com/docker/docker...

GO-2024-2559 Cross-site Scripting in github.com/greenpau/caddy-security

Cross-site Scripting in github.com/greenpau/caddy-security...

GO-2024-2449 Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positiv...

GO-2024-2560 Open Redirect in github.com/greenpau/caddy-security

Open Redirect in github.com/greenpau/caddy-security...

GO-2024-2934 Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder

Minder affected by denial of service from maliciously configured Git repository in github.com/stacklok/minder...

GO-2024-2938 LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI

LocalAI path traversal vulnerability in github.com/go-skynet/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest...

Command Injection

github.com/hashicorp/go-getter is vulnerable to Command Injection. The vulnerability is caused by improper handling of arguments in Git operations within getgit.go. This allows attackers to manipulate the Git configuration and execute arbitrary code...

GO-2024-2914 Moby (Docker Engine) is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker

Moby Docker Engine is vulnerable to Ambiguous OCI manifest parsing in github.com/docker/docker...

GO-2024-2916 SQL Injection in Harbor scan log API in github.com/goharbor/harbor

SQL Injection in Harbor scan log API in github.com/goharbor/harbor...

GHSA-87M9-RV8P-RGMG go-grpc-compression has a zstd decompression bombing vulnerability

Impact A malicious user could cause a denial of service DoS when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases. Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll...

go-grpc-compression has a zstd decompression bombing vulnerability

Impact A malicious user could cause a denial of service DoS when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases. Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll...

GO-2024-2684 CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs

CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs...

GO-2024-2776 Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol

Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol...