Lucene search
+L

11 matches found

nvd
nvd
added 2026/07/02 8:17 p.m.7 views

CVE-2026-59094

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepathglobpattern value...

8.7CVSS0.0047EPSS
Exploits0References4
osv
osv
added 2026/07/02 7:40 p.m.19 views

CVE-2026-59094 Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepathglobpattern value...

8.7CVSS6AI score0.0047EPSS
Exploits0References7
cvelist
cvelist
added 2026/07/02 7:40 p.m.35 views

CVE-2026-59094 Pathway - Unauthenticated Denial of Service via Exponential Glob Pattern Matching in Document Store

Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed document paths using a hand-written recursive matcher that branches two ways on each token without memoization, giving exponential worst-case complexity. The filepathglobpattern value...

8.7CVSS0.0047EPSS
Exploits0References4
susecve
susecve
added 2026/01/24 12:24 a.m.8 views

SUSE CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS5.7AI score0.00332EPSS
Exploits0References4
snyk
snyk
added 2026/01/22 10:50 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /api/v1/index/retrieve endpoint. An attacker can scan internal network resources by sending GET requests to retrieve a public key. Since only GET requests are allowed for this endpoint, it is not...

6.9CVSS5.5AI score0.00332EPSS
Exploits0References2
osv
osv
added 2026/01/22 10:16 p.m.7 views

AZL-76446 CVE-2026-24117 affecting package cri-o 1.30.1-1

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS5.8AI score0.00332EPSS
Exploits0References1
nvd
nvd
added 2026/01/22 10:16 p.m.6 views

CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS0.00332EPSS
Exploits0References3
osv
osv
added 2026/01/22 10:16 p.m.6 views

AZL-76547 CVE-2026-24117 affecting package skopeo 1.14.2-14

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS5.8AI score0.00332EPSS
Exploits0References1
osv
osv
added 2026/01/22 10:16 p.m.4 views

DEBIAN-CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS8.4AI score0.00332EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/01/22 10:5 p.m.5 views

CVE-2026-24117

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate...

5.3CVSS5.5AI score0.00332EPSS
Exploits0References4Affected Software1
cnnvd
cnnvd
added 2026/01/22 12:0 a.m.9 views

Rekor code issue vulnerabilities

Rekor is an open-source software developed by sigstore. It provides an immutable, tamper-proof ledger for metadata generated within the software project supply chain. Versions of Rekor prior to 1.4.3 contained code vulnerabilities. These vulnerabilities stemmed from the /api/v1/index/retrieve...

5.3CVSS7.4AI score0.00332EPSS
Exploits0References4
Rows per page
Query Builder