CVE-2021-29499

CVE-2021-29499 affects SIF ( Singularity Container Image Format) where siftool new and siftool.New() generate predictable UUIDs due to insecure randomness in github.com/satori/go.uuid. A fix is available in the module version >= v1.2.3; upgrading the module is recommended. As a workaround, whe...

CVE-2021-29499

SIF is an open source implementation of the Singularity Container Image Format. The siftool new command and func siftool.New produce predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid module used as a dependency. A patch is available in version...

CVE-2021-29499 Predictable SIF UUID Identifiers

SIF is an open source implementation of the Singularity Container Image Format. The siftool new command and func siftool.New produce predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid module used as a dependency. A patch is available in version...

CVE-2021-3538

A flaw was found in github.com/satori/go.uuid. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker...

Null pointer dereference

This affects all versions 0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures...

CVE-2020-7731 Denial of Service (DoS)

This affects all versions 0.7.0 of package github.com/russellhaering/gosaml2. There is a crash on nil-pointer dereference caused by sending malformed XML signatures...

CVE-2021-29482

A flaw was found in github.com/ulikunitz/xz. The function readUvarint may not terminate a loop what could lead to denial of service DoS...

CVE-2021-23365

The package github.com/tyktechnologies/tyk-identity-broker before 1.1.1 are vulnerable to Authentication Bypass via the Go XML parser which can cause SAML authentication bypass. This is because the XML parser doesn’t guarantee integrity in the XML round-trip encoding/decoding XML data...

Denial Of Service (DoS)

github.com/turt2live/matrix-media-repo is vulnerable to denial of service. An attacker could upload a relatively small image in terms of file size, using particular image formats, which expands to have extremely large dimensions during the process of thumbnailing, causing the server to exhaust it...

GO-2021-0059 Panic due to improper input validation in Get in github.com/tidwall/gjson

Due to improper bounds checking, maliciously crafted JSON objects can cause an out-of-bounds panic. If parsing user input, this may be used as a denial of service vector...

GO-2021-0070 Privilege escalation in github.com/opencontainers/runc

GetExecUser in the github.com/opencontainers/runc/libcontainer/user package will improperly interpret numeric UIDs as usernames. If the method is used without verifying that usernames are formatted as expected, it may allow a user to gain unexpected privileges...

GO-2021-0051 Directory traversal on Windows in github.com/labstack/echo/v4

Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read...

GO-2020-0017 Authorization bypass in github.com/dgrijalva/jwt-go

If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided...

GO-2020-0003 Resource exhaustion in github.com/revel/revel

An attacker can cause an application that accepts slice parameters https://revel.github.io/manual/parameters.htmlslices to allocate large amounts of memory and crash through manipulating the request query sent to the application...

GO-2020-0001 Arbitrary log line injection in github.com/gin-gonic/gin

The default Formatter for the Logger middleware LoggerConfig.Formatter, which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path...

Open Redirect

github.com/pomerium/pomerium is vulnerable to open redirect. When using programmatic login, it does not restrict a signed login URL to redirect a victim to the attacker’s site and eventually can cause a JWT leakage...

Design/Logic Flaw

A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a container image is processed, each layer is unpacked using tar. If one of those layers is not a valid tar archive this causes an error leading to an unexpected situation where the code...

CVE-2021-21403 Authentication Bypass by Primary Weakness in github.com/kongchuanhujiao/server

In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21...

Path Traversal

github.com/ipfs/go-ipfs is vulnerable to path traversal. The use of whyrusleeping/tar-utils which fails to validate tarPath when a get is done on an malicious DAG file allows overwritting of files or writing to incorrect destination folders during retrieval...

Arbitrary File Delete

github.com/tyktechnologies/tyk is vulnerable to arbitrary file delete. The vulnerability exists through the handleAddOrUpdateApi function in api.go where json files outside of the application can be deleted if the file path is specified in the request...