GO-2024-2803 Navidrome Parameter Tampering vulnerability in github.com/navidrome/navidrome

Navidrome Parameter Tampering vulnerability in github.com/navidrome/navidrome...

github.com/huandu/facebook may expose access_token in error message.

Summary accesstoken can be exposed in error message on fail in HTTP request. Details Using this module, when HTTP request fails, error message can contain accesstoken. This can be happen when: - module is sending HTTP request with query parameter ?accesstoken=.... - and HTTP request fails errors...

GO-2024-2694 Potential Reentrancy using Timeout Callbacks in ibc-hooks in github.com/cosmos/ibc-go

Potential Reentrancy using Timeout Callbacks in ibc-hooks in github.com/cosmos/ibc-go...

CVE-2024-35183

wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...

CVE-2024-35183 wolfictl leaks GitHub tokens to remote non-GitHub git servers

wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...

Improper TLS Ciphers Configuration

github.com/nats-io/nats-server/ is vulnerable to Improper TLS Ciphers Configuration. The vulnerability is due to the loss of restricted ciphersuite settings when using CLI options to set a key/cert for TLS, enabling all ciphersuites supported by Go by default...

Command Injection

github.com/cea-hpc/sshproxy is vulnerable to Command Injection. The vulnerability is due to missing input santization when constructing the ssh command string, which allows an authorized user to inject options into the ssh command executed by sshproxy...

GO-2024-2821 Denial of Service from untrusted requests in github.com/stacklok/minder

HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. An untrusted request can cause the server to allocate large amounts of memory resulting in a denial of service...

GO-2024-2819 Denial of Service in github.com/ethereum/go-ethereum

A vulnerable node can be made to consume very large amounts of memory when handling specially crafted p2p messages sent from an attacker node. This can result in a denial of service as the node runs out of memory...

Improper Access Control

github.com/piraeusdatastore/piraeus-operator is vulnerable to Improper access control. The vulnerability is due to the ClusterRole being granted excessive permissions, specifically the ability to list all secrets in the cluster, which allows an attacker to impersonate the service account bound to...

Denial Of Service (DoS)

github.com/osrg/gobgp/ is vulnerable to Denial Of Service DoS. The vulnerability is due to improper memory management which results in an application crash due to the handlingError function in pkg/server/fsm.go...

Improper Cache Handling

gitHub.com/coredns/coredns is vulnerable to Improper Cache Handling. The vulnerability is due to the CD bit disabling validation in the remote server which could allow an attacker to retrieve sensitive information cached erroneously, leading to information disclosure or unauthorized access...

Improper Preservation Of Permissions

github.com/authelia/authelia/ is vulnerable to Improper Preservation Of Permissions. The vulnerability is due to a flaw in the implementation of user group management. This can lead to unexpected outcomes like the changes to a user group are not taken into account by access control for longer tha...

Cross-Site Scripting

github.com/baidu/openrasp is vulnerable to Cross-Site Scripting. The vulnerability is due to improper handling of input and lack of output sanitization in the redirect parameter on the /login page. This allows attacker to inject arbritrary javascript to be executed with the permissions of a user...

Denial Of Service (DOS)

github.com/sigstore/cosign is vulnerable to a Denial of Service DoS. The vulnerability is due to allocating excessive memory when creating slices based on the number of signatures, manifests, or attestations in untrusted artifacts. This flaw allows an attacker to trigger a Denial of Service via...

Oracle Linux 9 : grafana-pcp (ELSA-2024-1502)

The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2024-1502 advisory. 5.1.1-2 - Rebuild with latest version of golang - resolves CVE-CVE-2024-1394 Tenable has extracted the preceding description block directly from the Oracle Linu...

GO-2024-2654 Denial of service in github.com/argoproj/argo-cd/v2

Application may crash due to concurrent writes, leading to a denial of service. An attacker can crash the application continuously, making it impossible for legitimate users to access the service. Authentication is not required in the attack...

Arbitrary Code Execution

github.com/projectdiscovery/nuclei is vulnerable to Arbitrary Code Execution. The vulnerability is due to improper validation of signed workflows within the parseWorkflowTemplate function in workflows.go, which allows the execution of unsigned code templates through workflows...

Insecure Variable Substitution

github.com/go-vela/server is vulnerable to Insecure Variable Substitution. This vulnerability is due to the use of variable substitution combined with insensitive fields such as parameters, image, and entrypoint in Vela pipelines. The vulnerability allows an attacker to bypass log masking and...

Insecure Variable Substitution

github.com/go-vela/types is vulnerable to Insecure Variable Substitution. The vulnerability arises due to the unexpected behavior of variable substitution combined with insensitive fields like parameters, image, and entrypoint. This allows for bypassing log masking and exposing secrets without...