623 matches found
USN-7977-1 git-lfs vulnerabilities
Ryota K discovered that Git LFS may leak login credentials in certain instances due to failing to check for URL-encoded characters. An attacker could possibly use this issue to learn sensitive information. CVE-2024-53263 It was discovered that Git LFS could have its git lfs checkout and git lfs...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via improper validation of repository ownership in the delete process for Git LFS locks. An attacker can remove LFS locks from repositories they do not own by leveraging write access to a...
CVE-2026-20897
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...
CVE-2026-20897 Gitea Git LFS Lock Deletion Broken Access Control (Cross-Repo IDOR)
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories...
MiracleLinux 8 : git-lfs-2.13.3-3.el8 (AXSA:2022-3920:02)
The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2022-3920:02 advisory. golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension CVE-2020-28851 golang.org/x/text: Panic in...
MiracleLinux 8 : git-lfs-3.4.1-3.el8_10 (AXSA:2024-8855:06)
The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2024-8855:06 advisory. encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion CVE-2024-34156...
MiracleLinux 8 : git-lfs-3.2.0-3.el8_9 (AXSA:2024-7734:01)
The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2024-7734:01 advisory. golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS CVE-2023-45288,VU421644.3 Tenable has extracted the preceding description...
MiracleLinux 9 : git-lfs-3.4.1-4.el9_4 (AXSA:2024-8856:07)
The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2024-8856:07 advisory. encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion CVE-2024-34156...
MiracleLinux 8 : git-lfs-3.4.1-2.el8 (AXSA:2024-8248:04)
The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2024-8248:04 advisory. golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS CVE-2023-45288 golang: net/http/cookiejar: incorrect forwarding of...
MiracleLinux 9 : git-lfs-3.2.0-1.el9 (AXSA:2023-5844:01)
The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-5844:01 advisory. golang: net/http: improper sanitization of Transfer-Encoding header CVE-2022-1705 golang: net/http/httputil: ReverseProxy should not forward...
MiracleLinux 8 : git-lfs-3.2.0-2.el8 (AXSA:2023-5956:02)
The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-5956:02 advisory. golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters CVE-2022-2880 golang: regexp/syntax: limit memory used by...
SUSE CVE-2026-22253
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path...
RHSA-2026:0465 Red Hat Security Advisory: git-lfs security update
Bulletin has no description...
MiracleLinux 9 : git-lfs-3.4.1-4.el9_5 (AXSA:2025-9577:01)
The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2025-9577:01 advisory. git-lfs: Git LFS permits exfiltration of credentials via crafted HTTP URLs CVE-2024-53263 Tenable has extracted the preceding description block directly from...
RHEL 8 : git-lfs (RHSA-2026:0459)
The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:0459 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing th...
MiracleLinux 8 : git-lfs-3.4.1-4.el8_10 (AXSA:2025-9621:02)
The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2025-9621:02 advisory. git-lfs: Git LFS permits exfiltration of credentials via crafted HTTP URLs CVE-2024-53263 Tenable has extracted the preceding description block directly from...
MiracleLinux 8 : git-lfs-3.4.1-5.el8_10 (AXSA:2025-10027:03)
The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2025-10027:03 advisory. net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 Tenable has extracted the preceding description block...
RHEL 8 : git-lfs (RHSA-2026:0460)
The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:0460 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing th...
MiracleLinux 9 : git-lfs-3.6.1-1.el9 (AXSA:2025-10212:04)
The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2025-10212:04 advisory. golang: crypto/tls: panic when processing post-handshake message on QUIC connections CVE-2023-39321 golang: crypto/tls: lack of a limit on buffered...
MiracleLinux 9 : git-lfs-3.6.1-2.el9_6 (AXSA:2025-10545:05)
The remote MiracleLinux 9 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2025-10545:05 advisory. net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 Tenable has extracted the preceding description block...