CVE-2024-21496

All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...

GO-2024-2482 Information leak in github.com/goreleaser/goreleaser

Secret values can be printed to the --debug log when using a a custom publisher...

Cross Site Scripting (XSS)

github.com/rancher/norman is vulnerable to Cross Site Scripting XSS . The vulnerability is due to a lack of URL validation within the ParseRequestURL method. An attacker can execute arbitrary JavaScript by sending a crafted payload to a public API endpoint, resulting in XSS...

Arbitrary Code Execution

github.com/git-lfs/git-lfs is vulnerable to Arbitrary Code Execution. The vulnerability is due to Go preferring the current directory when the name of a command run does not contain a directory separator, in the case of Windows. This can result in arbitrary code execution if Git LFS operates on a...

CVE-2024-24557

A vulnerability was found in github.com/moby/moby. The classic builder cache system in moby is vulnerable to cache poisoning if the image is built using a 'FROM scratch' in Dockerfile. This flaw allows an attacker who has knowledge of the Dockerfile to create a malicious cache that would be pulle...

Sensitive Information Disclosure

github.com/apache/servicecomb-service-center is vulnerable to Sensitive Information Disclosure. The vulnerability allows an attacker to query all environment variables, resulting in Information Disclosure...

Path Traversal

github.com/anchore/stereoscope is vulnerable to Path Traversal. The vulnerability due to the UntarToDirectory function lacking file path validation to ensure the contained files are within the restricted path, allowing an attacker to write files to arbitrary locations when stereoscope decompresse...

Arbitrary File Deletion

github.com/moby/buildkit is vulnerable to Arbitrary File Deletion. The vulnerability due to improper path sanitization when a dockerfile utilizes the RUN --mount feature. This feature is used to delete empty files which are created for mountpoints, but can be tricked into deleting arbitrary files...

Improper Privilege Management

github.com/hashicorp/vault is vulnerable to Improper Privilege Management. The vulnerability is due to the RenewToken function within expiration.go which only refreshes group memberships when GroupAliases is not nil, along with non-empty EntityID and initialized identityStore. This logic could mi...

GO-2024-2451 IV collision in github.com/bincyber/go-sqlcrypter

There is a risk of an IV collision using the awskms or aesgcm provider. NIST SP 800-38D section 8.3 states that it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. The limit could easily be reached given the use case of database column encryption...

GO-2024-2454 Panic due to nil pointer dereference in github.com/lestrrat-go/jwx/v2

Panic due to nil pointer dereference in github.com/lestrrat-go/jwx/v2...

GO-2024-2469 Kyberslash timing attack possible in github.com/kudelskisecurity/crystals-go

Kyberslash timing attack possible in github.com/kudelskisecurity/crystals-go...

Cross Site Scripting (XSS)

github.com/gofiber/template is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper validation and sanitization of user input via the template engine. This issue can be exploited by attacker via injecting malicious JavaScript via the template engine resulting in XSS...

GO-2023-2385 Insufficient entropy in AES-256-CBC in github.com/pubnub/go

There is insufficient entropy in the implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt functions are less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file. Users are encouraged to...

Improper Privilege Management in github.com/sap/cloud-security-client-go

Impact SAP BTP Security Services Integration Library Golang github.com/sap/cloud-security-client-go allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. Patches Upgrade to...

Denial Of Service (DoS)

github.com/golang/go is vulnerable to Denial Of Service DoS. The vulnerability exists because the readChunkLine function in chunked.go does not properly check the bytes from the request or response body. A malicious attacker can exploit this to cause a server to automatically read a large amount ...

CVE-2023-50424

SAP BTP Security Services Integration Library Golang github.com/sap/cloud-security-client-go - versions 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...

CVE-2023-50424 Escalation of Privileges in SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go)

SAP BTP Security Services Integration Library Golang github.com/sap/cloud-security-client-go - versions 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...

Improper Access Control

github.com/canonical/lxd is vulnerable to Improper Access Control. The vulnerability allows a user with limited privileges to potentially gain root access on the system. The exploit requires specific configuration settings which enables the attacker to create a disk device with shift=true within...

CVE-2023-45286 HTTP request body disclosure in github.com/go-resty/resty/v2

A race condition in go-resty can result in HTTP request body disclosure across requests. This condition can be triggered by calling sync.Pool.Put with the same bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buff...