76 matches found
AZL-40428 CVE-2024-24787 affecting package msft-golang for versions less than 1.22.3
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...
CVE-2024-24787
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...
CVE-2024-24787
CVE-2024-24787 affects Go builds on Darwin when CGO is used with ld and -lto_library in a cgo LDFLAGS, allowing arbitrary code execution by a malicious module during build. The IBM/Storage Protect advisories reference this CVE as a Go-related issue and indicate remediation through upgrading to a ...
CVE-2024-24787
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...
CVE-2024-24787 Arbitrary code execution during build on Darwin in cmd/go
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...
CVE-2024-24787
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -ltolibrary flag in a "cgo LDFLAGS" directive...
Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to denial of service due to OpenTelemetry go module ( CVE-2023-45142, CVE-2023-47108 )
Summary OpenTelemetry go module is used by IBM Cloud Pak for Data Scheduling as part of the scheduler binaries. CVE-2023-45142, CVE-2023-47108. Vulnerability Details CVEID:CVE-2023-45142 DESCRIPTION: OpenTelemetry OpenTelemetry-Go Contrib is vulnerable to a denial of service, caused by an unbound...
CVE-2024-28122
CVE-2024-28122 (JWx) is a DoS vulnerability in the Go JOSE library (jwx) where an attacker with a trusted public key can craft a JWE with an exceptionally high compression ratio to exhaust resources. The issue affects the JWx modules and has been patched in versions 1.2.29 and 2.0.21. Public deta...
BIT-GOLANG-2023-45285 Command 'go get' may unexpectedly fallback to insecure git in cmd/go
Using go get to fetch a module with the ".git" suffix may unexpectedly fallback to the insecure "git://" protocol if the module is unavailable via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE is not set for said module. This only affects users who are not using the module...
golang: cmd/go: Protocol Fallback when fetching modules
A flaw was found in the Golang package cmd/go. This issue permits the fallback to insecure "git://" if trying to fetch a .git module that has no "https://" or "git+ssh://" available...
[SECURITY] Fedora 39 Update: golang-x-mod-0.14.0-1.fc39
This packages holds packages for writing tools that work directly with Go mod ule mechanics. That is, it is for direct manipulation of Go modules themselves...
Fedora: Security Advisory for golang-x-mod (FEDORA-2024-ae653fb07b)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
CVE-2024-21664
jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...
Null pointer dereference
jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...
CVE-2024-21664
Technical details about CVE-2024-21664 are not publicly available in the provided connected documents. Monitor for updates; remediation in the initial description indicates patches in versions 2.0.19 and 1.2.28.
CVE-2024-21664 Parsing JSON serialized payload without protected field can lead to segfault
jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...
CVE-2024-21664 Parsing JSON serialized payload without protected field can lead to segfault
jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. Calling jws.Parse with a JSON serialized payload where the signature field is present while protected is absent can lead to a nil pointer dereference. The vulnerability can be used to crash/DOS ...
Design/Logic Flaw
lestrrat-go/jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. A p2c parameter set too high in JWE's algorithm PBES2- could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c...
PT-2023-5127 · Go +2 · Go +2
Name of the Vulnerable Software and Affected Versions: Go versions 1.21 and later Description: The go.mod toolchain directive can be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloade...
Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution
Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution RCE on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping ORM library and prepared statements," SonarSource researcher Thomas...