Lucene search
K
LinuxfoundationRekor

4 matches found

CVE
CVE
added 2023/05/08 3:52 p.m.454 views

CVE-2023-30551

CVE-2023-30551 affects Rekor (open source transparency log). Prior to version 1.1.1, an out-of-memory (OOM) condition can occur when Rekor reads archive metadata files into memory without validating their sizes. Specifically, JAR submissions can trigger OOM during verification if large META-INF e...

7.5CVSS7.5AI score0.0105EPSS
CVE
CVE
added 2023/05/26 10:52 p.m.439 views

CVE-2023-33199

CVE-2023-33199 concerns Rekor: a malformed proposed entry of the intoto/v0.0.2 type can cause a panic in a Rekor thread. The thread is recovered and the process returns a 500 error, with availability impact described as minimal. A fix is available in Rekor v1.2.0, and upgrade is advised. The conn...

5.3CVSS5AI score0.0067EPSS
CVE
CVE
added 2026/01/22 10:5 p.m.30 views

CVE-2026-24117

CVE-2026-24117 affects Rekor, a software supply chain transparency log. In versions ≤ 1.4.3, the path /api/v1/index/retrieve accepts a user-provided URL to retrieve a public key, enabling Server-Side Request Forgery (SSRF) to internal services. SSRF is limited to GET requests and does not return ...

5.3CVSS5.7AI score0.00332EPSS
Web
CVE
CVE
added 2026/01/22 9:26 p.m.18 views

CVE-2026-23831

Rekor (software supply chain transparency log) versions 1.4.3 and earlier are affected by a vulnerability where an empty spec.message can cause a nil pointer dereference during entry canonicalization, as validate() may return nil for empty message and Canonicalize() dereferences sign1Msg.Payload....

5.3CVSS5.4AI score0.00384EPSS