GHSA-87M9-RV8P-RGMG go-grpc-compression has a zstd decompression bombing vulnerability

Impact A malicious user could cause a denial of service DoS when using a specially crafted gRPC request. The decompression mechanism for zstd did not respect the limits imposed by gRPC, allowing rapid memory usage increases. Versions v1.1.4 through to v1.2.2 made use of the Decoder.DecodeAll...

GHSA-VWCH-G97W-HFG2 CubeFS leaks users key in logs

CubeFS was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher...

CubeFS leaks users key in logs

CubeFS was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to the logs to retrieve sensitive information and impersonate other users with higher...

CubeFS leaks magic secret key when starting Blobstore access service

A vulnerability was found in CubeFS that could allow users to read sensitive data from the logs which could allow them escalate privileges. CubeFS leaks configuration keys in plaintext format in the logs. These keys could allow anyone to carry out operations on blobs that they otherwise do not ha...

Insecure random string generator used for sensitive data

CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates ne...

GHSA-4248-P65P-HCRM Insecure random string generator used for sensitive data

CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates ne...

GHSA-8579-7P32-F398 CubeFS timing attack can leak user passwords

A vulnerability was found during in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the...

CubeFS timing attack can leak user passwords

A vulnerability was found during in the CubeFS master component that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the...

GHSA-QC6V-G3XW-GRMX Authenticated users can crash the CubeFS servers with maliciously crafted requests

A security vulnerability was found in CubeFS HandlerNode that could allow authenticated users to send maliciously-crafted requests that would crash the ObjectNode and deny other users from using it. The root cause was improper handling of incoming HTTP requests that could allow an attacker to...

GHSA-99JV-8292-2HPM eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations

Impact The eventing-gitlab cluster-local server doesn't set ReadHeaderTimeout‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬...

eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations

Impact The eventing-gitlab cluster-local server doesn't set ReadHeaderTimeout‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬...

GHSA-V7HC-87JC-QRRR eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations

Impact The eventing-github cluster-local server doesn't set ReadHeaderTimeout‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬...

eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations

Impact The eventing-github cluster-local server doesn't set ReadHeaderTimeout‬‭ which could lead do a DDoS‬ ‭attack, where a large group of users send requests to the server causing the server to hang‬ ‭for long enough to deny it from being available to other users, also know as a Slowloris‬...

GHSA-QMVJ-4QR9-V547 Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler

Summary A vulnerability was fond in Knative Serving that could allow an attacker to crash the Knative Serving autoscaler resulting in a denial of service. The attacker would need to have compromised one pod in the Knative Serving deployment, and with that position they could launch the attack...

notation-go's verification bypass can cause users to verify the wrong artifact

Impact An attacker who controls or compromises a registry can lead a user to verify the wrong artifact. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Workarounds User should use secure and trusted container...

Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack

Impact An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade the...

VTAdmin users that can create shards can deny access to other functions

Impact Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspaces will also no longer work. Creating a shard using...

GHSA-PQJ7-JX24-WJ7W VTAdmin users that can create shards can deny access to other functions

Impact Users can either intentionally or inadvertently create a shard containing / characters from VTAdmin such that from that point on, anyone who tries to create a new shard from VTAdmin will receive an error. Attempting to view the keyspaces will also no longer work. Creating a shard using...

GHSA-735R-HV67-G38F vitess allows users to create keyspaces that can deny access to already existing keyspaces

Impact Users can either intentionally or inadvertently create a keyspace containing / characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using vtctldclient GetKeyspaces will also return an error. Note th...

vitess allows users to create keyspaces that can deny access to already existing keyspaces

Impact Users can either intentionally or inadvertently create a keyspace containing / characters such that from that point on, anyone who tries to view keyspaces from VTAdmin will receive an error. Trying to list all the keyspaces using vtctldclient GetKeyspaces will also return an error. Note th...