Lucene search
K

76 matches found

OSV
OSV
added 2024/05/08 4:15 p.m.9 views

AZL-40428 CVE-2024-24787 affecting package msft-golang for versions less than 1.22.3

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...

6.4CVSS7.6AI score0.0076EPSS
Exploits1References1
NVD
NVD
added 2024/05/08 4:15 p.m.23 views

CVE-2024-24787

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...

6.4CVSS6.8AI score0.0076EPSS
Exploits1References6
CVE
CVE
added 2024/05/08 3:31 p.m.348 views

CVE-2024-24787

CVE-2024-24787 affects Go builds on Darwin when CGO is used with ld and -lto_library in a cgo LDFLAGS, allowing arbitrary code execution by a malicious module during build. The IBM/Storage Protect advisories reference this CVE as a Go-related issue and indicate remediation through upgrading to a ...

6.4CVSS6.9AI score0.0076EPSS
Exploits1References6
AlpineLinux
AlpineLinux
added 2024/05/08 3:31 p.m.30 views

CVE-2024-24787

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...

6.4CVSS6.9AI score0.0076EPSS
Exploits1
Cvelist
Cvelist
added 2024/05/08 3:31 p.m.29 views

CVE-2024-24787 Arbitrary code execution during build on Darwin in cmd/go

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...

7.1AI score0.0076EPSS
Exploits1References6
Debian CVE
Debian CVE
added 2024/05/08 3:31 p.m.20 views

CVE-2024-24787

On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...

6.4CVSS7.4AI score0.0076EPSS
Exploits1
IBM Security Bulletins
IBM Security Bulletins
added 2024/03/20 5:49 p.m.37 views

Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to denial of service due to OpenTelemetry go module ( CVE-2023-45142, CVE-2023-47108 )

Summary OpenTelemetry go module is used by IBM Cloud Pak for Data Scheduling as part of the scheduler binaries. CVE-2023-45142, CVE-2023-47108. Vulnerability Details CVEID:CVE-2023-45142 DESCRIPTION: OpenTelemetry OpenTelemetry-Go Contrib is vulnerable to a denial of service, caused by an unbound...

7.5CVSS7.5AI score0.01592EPSS
Exploits0Affected Software1
CVE
CVE
added 2024/03/09 12:45 a.m.400 views

CVE-2024-28122

CVE-2024-28122 (JWx) is a DoS vulnerability in the Go JOSE library (jwx) where an attacker with a trusted public key can craft a JWE with an exceptionally high compression ratio to exhaust resources. The issue affects the JWx modules and has been patched in versions 1.2.29 and 2.0.21. Public deta...

6.8CVSS6.3AI score0.0057EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2024/03/06 10:52 a.m.31 views

BIT-GOLANG-2023-45285 Command 'go get' may unexpectedly fallback to insecure git in cmd/go

Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...

7.5CVSS7.7AI score0.01137EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2024/03/05 6:14 p.m.4 views

golang: cmd/go: Protocol Fallback when fetching modules

A flaw was found in the Golang package cmd/go. This issue permits the fallback to insecure "git://" if trying to fetch a .git module that has no "https://" or "git+ssh://" available...

7.5CVSS7.3AI score0.01137EPSS
Exploits0References5
Fedora
Fedora
added 2024/01/18 1:47 a.m.35 views

[SECURITY] Fedora 39 Update: golang-x-mod-0.14.0-1.fc39

This packages holds packages for writing tools that work directly with Go mod ule mechanics. That is, it is for direct manipulation of Go modules themselves...

7.5CVSS8.5AI score0.93305EPSS
Exploits4
OpenVAS
OpenVAS
added 2024/01/18 12:0 a.m.27 views

Fedora: Security Advisory for golang-x-mod (FEDORA-2024-ae653fb07b)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

7.5CVSS7.6AI score0.93305EPSS
Exploits4References2
NVD
NVD
added 2024/01/09 8:15 p.m.41 views

CVE-2024-21664

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

7.5CVSS5.7AI score0.00864EPSS
Exploits1References4
Prion
Prion
added 2024/01/09 8:15 p.m.23 views

Null pointer dereference

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

5CVSS7.3AI score0.00864EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2024/01/09 7:18 p.m.380 views

CVE-2024-21664

Technical details about CVE-2024-21664 are not publicly available in the provided connected documents. Monitor for updates; remediation in the initial description indicates patches in versions 2.0.19 and 1.2.28.

7.5CVSS7.2AI score0.00864EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2024/01/09 7:18 p.m.4 views

CVE-2024-21664 Parsing JSON serialized payload without protected field can lead to segfault

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

4.3CVSS7AI score0.00864EPSS
Exploits1References4
OSV
OSV
added 2024/01/09 7:18 p.m.27 views

CVE-2024-21664 Parsing JSON serialized payload without protected field can lead to segfault

jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...

4.3CVSS6.5AI score0.00864EPSS
Exploits1References6
Prion
Prion
added 2023/12/05 12:15 a.m.17 views

Design/Logic Flaw

lestrrat-go/jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. A p2c parameter set too high in JWE's algorithm PBES2- could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c...

5CVSS7AI score0.00723EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2023/07/27 12:0 a.m.10 views

PT-2023-5127 · Go +2 · Go +2

Name of the Vulnerable Software and Affected Versions: Go versions 1.21 and later Description: The go.mod toolchain directive can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloade...

10CVSS7.2AI score0.99999EPSS
Exploits21References188
The Hacker News
The Hacker News
added 2023/06/28 7:24 a.m.5 views

Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution

Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution RCE on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping ORM library and prepared statements," SonarSource researcher Thomas...

9.8CVSS8.4AI score0.0115EPSS
Exploits0
Rows per page
Query Builder