Insertion of Sensitive Information into Log File in Hashicorp go-getter

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile...

GHSA-27RQ-4943-QCWP Insertion of Sensitive Information into Log File in Hashicorp go-getter

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile...

Exposure of SSH credentials in Rancher/Fleet

Impact This vulnerability only affects customers using Fleet for continuous delivery with authenticated Git and/or Helm repositories. A security vulnerability CVE-2022-29810 was discovered in go-getter library in versions prior to v1.5.11 that exposes SSH private keys in base64 format due to a...

GHSA-WM2R-RP98-8PMH Exposure of SSH credentials in Rancher/Fleet

Impact This vulnerability only affects customers using Fleet for continuous delivery with authenticated Git and/or Helm repositories. A security vulnerability CVE-2022-29810 was discovered in go-getter library in versions prior to v1.5.11 that exposes SSH private keys in base64 format due to a...

Hardcoded credentials

In Bender/ebee Charge Controllers in multiple versions are prone to Hardcoded Credentials. Bender charge controller CC612 in version 5.20.1 and below is prone to hardcoded ssh credentials. An attacker may use the password to gain administrative access to the web-UI...

CVE-2022-29810

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter...

CVE-2022-29810

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter...

Design/Logic Flaw

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter...

CVE-2022-29810

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter...

CVE-2022-29810

CVE-2022-29810 affects the HashiCorp go-getter library, where versions before 1.5.11 fail to redact an SSH private key in a URL query parameter. In practice, this can lead to exposure of SSH credentials in logs or error messages, potentially readable by local users with access to the logfile. Con...

CVE-2022-29810

The Hashicorp go-getter library before 1.5.11 does not redact an SSH key from a URL query parameter...

PT-2022-19843 · Hashicorp · Go-Getter

Name of the Vulnerable Software and Affected Versions: Hashicorp go-getter library versions prior to 1.5.11 Description: The issue concerns the Hashicorp go-getter library, where SSH credentials could be written into its logfile. This exposes sensitive credentials to local users who have the...

cloud-init bug fix and enhancement update

An update is available for cloud-init. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The cloud-init packages provide a set of init scripts for cloud instances...

ALBA-2022:1559 cloud-init bug fix and enhancement update

The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts. Bug Fixes and Enhancements: cloud-init writes route6-$DEVICE config with a HEX...

cloud-init bug fix and enhancement update

The cloud-init packages provide a set of init scripts for cloud instances. Cloud instances need special scripts to run during initialization to retrieve and install SSH keys, and to let the user run various scripts. Bug Fixes and Enhancements: cloud-init writes route6-$DEVICE config with a HEX...

GO-2021-0356 Denial of service via crafted Signer in golang.org/x/crypto/ssh

Attackers can cause a crash in SSH servers when the server has been configured by passing a Signer to ServerConfig.AddHostKey such that 1 the Signer passed to AddHostKey does not implement AlgorithmSigner, and 2 the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey...

SUSE-RU-2022:1391-1 Recommended update for salt

This update for salt fixes the following issues: - Fix regression preventing bootstrapping new clients caused by redundant dependency on psutil bsc1197533 - Prevent data pollution between actions processed at the same time bsc1197637 - Fix salt-ssh opts poisoning. bsc1197637 - Clear network...

curl: CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 bypass if string not 32 chars

Summary: Due to logic flaw in CURLOPTSSHHOSTPUBLICKEYMD5 handling, the host fingerprint validation will be bypassed if the passed a string that is not exactly 32 characters long. Steps To Reproduce: 1. curleasysetoptcurl, CURLOPTSSHHOSTPUBLICKEYMD5, "afe17cd62a0f3b61f1ab9cb22ba269a"; // 31 chars ...

curl: CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 comparison disaster

Summary: CURLOPTSSHHOSTPUBLICKEYSHA256 base64 encoded host fingerprint is compared case-insensitive by accident. This means that it is technically possible however still difficult to create forged ssh host key that matches in this comparison. The bug appears to have been introduced when adding...

Cisco Releases Security Patches for TelePresence, RoomOS and Umbrella VA

Networking equipment maker Cisco has released security updates to address three high-severity vulnerabilities in its products that could be exploited to cause a denial-of-service DoS condition and take control of affected systems. The first of the three flaws, CVE-2022-20783 CVSS score: 7.5,...