54 matches found
GHSA-FF52-PH69-CF7X vulnerabilities
Vulnerabilities for packages: opentelemetry-collector-k8s-fips, nri-postgresql-fips, aws-flb-firehose-fips, secrets-store-csi-driver, crossplane-provider-aws-fsx, pdfcpu, nsc-fips, atlas, mlrun-log-collector, crossplane-provider-aws-fsx-fips, consul-k8s, addon-resizer-fips, oras,...
CVE-2026-41889 vulnerabilities
Vulnerabilities for packages: spicedb, step-fips, ldap2pg, certificate-transparency-fips, goose, seaweedfs-rocksdb-fips, pgwatch, opentelemetry-collector-contrib-fips, temporal-server, sftpgo-plugin-eventsearch, ferretdb, vault, sftpgo-plugin-eventstore, temporal, caddy, step, gotrue-fips,...
SUSE CVE-2026-40097
Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension...
GHSA-7MR4-XJXG-34G6 vulnerabilities
Vulnerabilities for packages: cluster-api, gitsign, gitlab-kas, helm-set-status, gitaly, harbor, kyverno, minio-object-browser, hubble, openbao, docker-credential-gcr, hubble-ui, lazydocker, grafana-pyroscope, filebrowser, sftpgo, tetragon, yunikorn-k8shim, scorecard, seaweedfs,...
GHSA-9QQ8-CGCV-QMC9 Step CA affected by an index out of bounds panic in TPM attestation EKU validation
Summary An attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension during TPM device attestation. Details When processing a device-attest-01 ACME challenge using TPM attestation, Step CA...
CVE-2026-40097
CVE-2026-40097 affects Step CA (online CA for secure, automated certificate management). From version 0.24.0 up to before 0.30.0-rc3, an attacker can trigger an index-out-of-bounds panic during TPM device attestation by sending a crafted attestation key certificate with an empty EKU extension. Sp...
CVE-2026-40097
Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension...
PT-2026-31991
Name of the Vulnerable Software and Affected Versions Step CA versions 0.24.0 through 0.30.0-rc3 Description An attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension during TPM device...
Smallstep step-ca 输入验证错误漏洞
Smallstep step-ca is an online certificate authority for DevOps security and automated certificate management provided by the Smallstep company in the United States. Versions of Smallstep step-ca prior to 0.30.0-rc3 contained a vulnerability related to input validation errors. This vulnerability...
CLEANSTART-2026-GM09342 Security fixes for CVE-2025-68121, CVE-2026-26958, ghsa-fw7p-63qq-7hpr, ghsa-mqqf-5wvp-8fh8 applied in versions: 0.29.0-r0, 0.29.0-r1
Multiple security vulnerabilities affect the step-ca-fips package. These issues are resolved in later releases. See references for individual vulnerability details...
Linux Distros Unpatched Vulnerability : CVE-2026-30836
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against...
GO-2026-4775 step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) in github.com/smallstep/certificates
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq MessageType=18 in github.com/smallstep/certificates...
SUSE CVE-2026-30836
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...
CVE-2026-30836
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...
CVE-2026-30836
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...
CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...
CVE-2026-30836
CVE-2026-30836 affects step-ca (github.com/smallstep/certificates). The issue allows unauthenticated certificate issuance via SCEP UpdateReq (MessageType=18) due to inadequate protection in UpdateReq handling. Affected versions are 0.30.0-rc6 and below; the vulnerability is fixed in version 0.30....
CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...
EUVD-2026-13200
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq MessageType=18...
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Summary An attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks. Details SCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were...