Lucene search
K

14 matches found

Github Security Blog
Github Security Blog
added 2023/03/16 6:32 p.m.26 views

Go-huge-util vulnerable to path traversal when unzipping files

Impact ZipSlip issue when use fsutil package to unzip files. When users use zip.Unzip to unzip zip files from a malicious attacker, they may be vulnerable to path traversal. Patches It has been fixed in v0.0.34, Please upgrade version to v0.0.34 or above. Workarounds No, users have to upgrade...

8.8CVSS8.3AI score0.00614EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/14 12:55 a.m.24 views

GitHub Git LFS Arbitrary command execution vulnerability

GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, located on a url = line in a .lfsconfig file within a repository. Specific Go Packages Affected github.com/git-lfs/git-lfs/lfsapi...

8.8CVSS8.9AI score0.03677EPSS
Exploits1References11Affected Software1
Github Security Blog
Github Security Blog
added 2022/05/13 1:16 a.m.36 views

Docker Registry has Allocation of Resources Without Limits or Throttling

Docker Registry before 2.6.2 in Docker Distribution does not properly restrict the amount of content accepted from a user, which allows remote attackers to cause a denial of service memory consumption via the manifest endpoint. Specific Go Packages Affected...

7.5CVSS7AI score0.03192EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2022/02/15 1:57 a.m.24 views

GHSA-Q2QR-3C2P-9235 Denial of Service (DoS) in HashiCorp Consul

HashiCorp Consul and Consul Enterprise could crash when configured with an abnormally-formed service-router entry. Introduced in 1.6.0, fixed in 1.6.6 and 1.7.4. Specific Go Packages Affected github.com/hashicorp/consul/agent/consul/discoverychain...

5.3CVSS7.4AI score0.01709EPSS
Exploits0References5
OSV
OSV
added 2022/02/15 1:57 a.m.31 views

GHSA-XJQR-G762-PXWP containernetworking/cni improper limitation of path name

An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the syste...

7.2CVSS7AI score0.01525EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2022/02/15 1:57 a.m.25 views

Gitea Improper Input Validation

repo/setting.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 does not validate the form.MirrorAddress before calling SaveAddress. Specific Go Packages Affected github.com/go-gitea/gitea/models...

7.5CVSS7.3AI score0.01349EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2022/02/15 1:57 a.m.18 views

Pivotal Concourse Open Redirect in Login Flow

Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse...

7.6CVSS5.8AI score0.01145EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2022/02/15 1:57 a.m.24 views

GHSA-9689-RX4V-CQGC Pivotal Concourse Open Redirect in Login Flow

Pivotal Concourse Release, versions 4.x prior to 4.2.2, login flow allows redirects to untrusted websites. A remote unauthenticated attacker could convince a user to click on a link using the oAuth redirect link with an untrusted website and gain access to that user's access token in Concourse...

5.4CVSS5.8AI score0.01145EPSS
Exploits0References4
OSV
OSV
added 2022/02/15 1:57 a.m.28 views

GHSA-XX8C-M748-XR4J Access Restriction Bypass in kubernetes

The API server in Kubernetes does not properly check admission control, which allows remote authenticated users to access additional resources via a crafted patched object. Specific Go Packages Affected github.com/kubernetes/kubernetes/pkg/apiserver...

7.7CVSS7.1AI score0.01583EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2021/06/23 6:14 p.m.69 views

Plugin archive directory traversal in Helm

The Helm core maintainers have identified an information disclosure vulnerability in Helm 3.0.0-3.2.3. Impact A traversal attack is possible when installing Helm plugins from a tar archive over HTTP. It is possible for a malicious plugin author to inject a relative path into a plugin archive, and...

8.5CVSS6.6AI score0.01458EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2021/05/24 4:57 p.m.79 views

Improper Sanitizing of plugin names in helm

Impact Security researchers at Trail of Bits discovered that plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to hel...

4CVSS5.1AI score0.00962EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2021/05/18 6:32 p.m.65 views

Path Traversal in Buildah

A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTPs server and then write files to the user's system anywhere that the user has permissions. Specific Go Packages Affected...

9.3CVSS8.2AI score0.02603EPSS
Exploits1References7Affected Software1
OSV
OSV
added 2021/05/18 6:32 p.m.59 views

GHSA-FX8W-MJVM-HVPC Path Traversal in Buildah

A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTPs server and then write files to the user's system anywhere that the user has permissions. Specific Go Packages Affected...

8.8CVSS8.5AI score0.02603EPSS
Exploits1References7
Github Security Blog
Github Security Blog
added 2021/05/18 6:21 p.m.51 views

Allocation of Resources Without Limits or Throttling in Hashicorp Consul

HashiCorp Consul and Consul Enterprise include an HTTP API introduced in 1.2.0 and DNS introduced in 1.4.3 caching feature that was vulnerable to denial of service. Specific Go Packages Affected github.com/hashicorp/consul/agent/config Fix The vulnerability is fixed in versions 1.6.6 and 1.7.4...

7.5CVSS7.1AI score0.02851EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder