Lucene search
K

24 matches found

Tenable Nessus
Tenable Nessus
added 2026/06/03 12:0 a.m.8 views

Linux Distros Unpatched Vulnerability : CVE-2026-48501

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitHub CLI gh is GitHub's official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository...

9.1CVSS5.7AI score0.00289EPSS
Exploits0References3
OSV
OSV
added 2026/05/29 4:16 p.m.10 views

DEBIAN-CVE-2026-48501

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

9.1CVSS5.8AI score0.00289EPSS
Exploits0References1
OSV
OSV
added 2026/05/29 4:16 p.m.14 views

UBUNTU-CVE-2026-48501

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

9.1CVSS5.8AI score0.00289EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/29 3:30 p.m.20 views

GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands

Summary GitHub CLI incorrectly includes an authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. Affected users: - Authenticated github.com users who previously ran gh attestation commands, gh release verify, or...

9.1CVSS5.9AI score0.00289EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/05/29 3:14 p.m.39 views

CVE-2026-48501 GitHub CLI tokens leak via `gh attestation` commands

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

7.4CVSS0.00289EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/29 3:14 p.m.14 views

CVE-2026-48501 GitHub CLI tokens leak via `gh attestation` commands

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

7.4CVSS5.8AI score0.00289EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 3:14 p.m.32 views

CVE-2026-48501

GitHub CLI (gh) prior to 2.93.0 contains a token leakage vulnerability: a shared HTTP client with an authentication layer attaches user tokens to outgoing requests without proper host detection. The host normalization collapses any *.github.com subdomain to github.com, causing requests to tuf-rep...

9.1CVSS5.8AI score0.00289EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/29 3:14 p.m.9 views

CVE-2026-48501

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

7.4CVSS5.8AI score0.00289EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.15 views

GitHub CLI 安全漏洞

GitHub CLI is an open-source command-line interface for GitHub. Prior to version 2.93.0 of GitHub CLI, there was a security vulnerability. This vulnerability stemmed from incorrect authorization headers in API requests to the TUF repository via the gh attestation, gh release verify, and gh releas...

7.4CVSS5.8AI score0.00289EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.18 views

PT-2026-44905

Name of the Vulnerable Software and Affected Versions GitHub CLI versions prior to 2.93.0 Description GitHub CLI incorrectly includes authorization headers in API requests to TUF repository mirrors when using the gh attestation, gh release verify, and gh release verify-asset commands. The tool...

9.1CVSS5.4AI score0.00289EPSS
Exploits0References12
Snyk
Snyk
added 2026/01/22 3:45 a.m.5 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the VerifyDelegate function. An attacker in control of a compromised TUF repository can bypass signature validation and modify metadata files by setting the signature threshold to 0...

8.2CVSS5.5AI score0.00196EPSS
Exploits0References2
Snyk
Snyk
added 2026/01/22 3:45 a.m.5 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the VerifyDelegate function. An attacker in control of a compromised TUF repository can bypass signature validation and modify metadata files by setting the signature threshold to 0...

8.2CVSS5.5AI score0.00196EPSS
Exploits0References2
OSV
OSV
added 2026/01/22 3:15 a.m.4 views

DEBIAN-CVE-2026-23991

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository or any of its mirrors returns invalid TUF metadata JSON valid JSON but not well formed TUF metadata, the client will panic during parsing, causing a denial of...

7.5CVSS8.3AI score0.0053EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2026/01/22 3:15 a.m.7 views

CVE-2026-23992

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to...

7.5CVSS5.9AI score0.00196EPSS
Exploits0References3
OSV
OSV
added 2026/01/21 4:19 p.m.7 views

GHSA-FPHV-W9FQ-2525 go-tuf improperly validates the configured threshold for delegations

Security Disclosure: Improper validation of configured threshold for delegations Summary A compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. Impact Unathorized modification to TUF metadata...

5.9CVSS5.6AI score0.00196EPSS
Exploits0References5
OSV
OSV
added 2026/01/13 2:58 p.m.7 views

GHSA-WHQX-F9J3-CH6M Cosign verification accepts any valid Rekor entry under certain conditions

Impact A Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's...

5.5CVSS6.9AI score0.00077EPSS
Exploits1References5
Snyk
Snyk
added 2026/01/10 6:53 a.m.4 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the VerifyBundle function in the verify.go file. An attacker can bypass artifact integrity checks by crafting a bundle that includes any arbitrary Rekor entry, allowing successful...

6.8CVSS6.9AI score0.00077EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/10 6:53 a.m.4 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the VerifyBundle function in the verify.go file. An attacker can bypass artifact integrity checks by crafting a bundle that includes any arbitrary Rekor entry, allowing successful...

6.8CVSS6.9AI score0.00077EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/05/22 9:21 p.m.10 views

CVE-2021-41149

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached o...

8.5CVSS6.9AI score0.01077EPSS
Exploits0
OSV
OSV
added 2025/03/28 10:13 p.m.2 views

GHSA-J8X2-777P-23FC tough cyclic delegation graphs are not detected

Summary In a TUF repository, the targets role’s signature indicates which target files are trusted by clients. The role can delegate full or partial trust to other roles, meaning that that role is trusted to sign target file metadata. Delegated roles can further delegate trust to other delegated...

2.7CVSS6.7AI score
Exploits0References4
Rows per page
Query Builder