GHSA-HVW3-P9PX-GPC9 Gophish before 0.12.0 vulnerable to Open Redirect

This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parser.FormValue"next" to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple...

Gophish before 0.12.0 vulnerable to Open Redirect

This affects the package github.com/gophish/gophish before 0.12.0. The Open Redirect vulnerability exists in the next query parameter. The application uses url.Parser.FormValue"next" to extract path and eventually redirect user to a relative URL, but if next parameter starts with multiple...

Path Traversal

github.com/golang/go is vulnerable to path traversal. The vulnerability exists because the JoinPath function of url.go does not properly remove the relative elements from the start of the path when the first path element is "", allowing an attacker to access files outside the expected directory...

Denial Of Service (DoS)

github.com/fluxcd/helm-controller and github.com/fluxcd/flux2 are vulnerable to denial of service DoS attacks. A remote authenticated attacker is able to cause a system panic by supplying specific data inputs, resulting in denial of service conditions via high memory consumption...

Denial Of Service (DoS)

github.com/golang/net is vulnerable to Denial Of Service DoS. The vulnerability exists in goAway function in server.go because the server errors are not properly handled which allows an attacker to cause an application crash...

CVE-2022-36078

Binary provides encoding/decoding in Borsh and other formats. The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with arbitrary excessive size value, which can either exhaust available memory or crash the whole program. When using...

CVE-2022-36078 Slice Memory Allocation with Excessive Size Value in binary

Binary provides encoding/decoding in Borsh and other formats. The vulnerability is a memory allocation vulnerability that can be exploited to allocate slices in memory with arbitrary excessive size value, which can either exhaust available memory or crash the whole program. When using...

Denial Of Service (DoS)

github.com/helm/helm is vulnerable to denial of service. The vulnerability exists in setIndex function in parser.go because a maximum index is not defined when setting index which allows an attacker to cause an application crash...

Session Fixation

github.com/vmware-tanzu/pinniped is vulnerable to session fixation. The vulnerability exists due to an insufficient session expiration used in the validateAccessToken function of tokenexchange.go, allowing an attacker to use the access token to continue the session without refreshing the token wh...

GO-2022-0957 Denial of service via maliciously crafted JSON in github.com/tidwall/gjson

A maliciously crafted JSON input can cause a denial of service attack...

[SECURITY] Fedora 36 Update: golang-github-goccy-yaml-1.9.5-3.fc36

Go package similar to github.com/go-yaml/yaml with some additional features...

CVE-2022-24912 Timing Attack

The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an...

Denial Of Service (DoS)

crypto/rand in github.com/golang/go is vulnerable to denial of service. The vulnerability exists when passing a buffer larger than 1 32 - 1 bytes which allows an attacker to cause an application crash...

[SECURITY] Fedora 35 Update: golang-github-goccy-yaml-1.9.5-3.fc35

Go package similar to github.com/go-yaml/yaml with some additional features...

GO-2022-0300 Panic via malicious inputs in github.com/graph-gophers/graphql-go

Malicious inputs can cause a panic. A maliciously crafted input can cause a stack overflow and panic. Any user with access to the GraphQL can send such a query. This issue only occurs when using the graphql.MaxDepth schema option which is highly recommended in most cases...

GO-2022-0272 Directory traversal in github.com/kataras/iris and github.com/kataras/iris/v12

The Context.UploadFormFiles function is vulnerable to directory traversal attacks, and can be made to write to arbitrary locations outside the destination directory. This vulnerability only occurs when built with Go versions prior to 1.17. Go 1.17 and later strip directory paths from filenames...

GO-2022-0244 Insufficient randomness in UUIDs in github.com/satori/go.uuid

Random data used to create UUIDs can contain zeros, resulting in predictable UUIDs and possible collisions...

CVE-2022-25891

The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service DoS via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages...

CVE-2022-25891 Denial of Service (DoS)

The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service DoS via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages...

CVE-2022-25891

CVE-2022-25891 affects the Go package github.com/containrrr/shoutrrr/pkg/util in versions before 0.6.0. The DoS arises from PartitionMessage, exploitable by sending messages exactly 2000, 4000, or 6000 characters. Impact: availability (DoS) with network access; no confidentiality or integrity imp...