4 matches found
CVE-2023-30551
CVE-2023-30551 affects Rekor (open source transparency log). Prior to version 1.1.1, an out-of-memory (OOM) condition can occur when Rekor reads archive metadata files into memory without validating their sizes. Specifically, JAR submissions can trigger OOM during verification if large META-INF e...
CVE-2023-33199
CVE-2023-33199 concerns Rekor: a malformed proposed entry of the intoto/v0.0.2 type can cause a panic in a Rekor thread. The thread is recovered and the process returns a 500 error, with availability impact described as minimal. A fix is available in Rekor v1.2.0, and upgrade is advised. The conn...
CVE-2026-24117
CVE-2026-24117 affects Rekor, a software supply chain transparency log. In versions ≤ 1.4.3, the path /api/v1/index/retrieve accepts a user-provided URL to retrieve a public key, enabling Server-Side Request Forgery (SSRF) to internal services. SSRF is limited to GET requests and does not return ...
CVE-2026-23831
Rekor (software supply chain transparency log) versions 1.4.3 and earlier are affected by a vulnerability where an empty spec.message can cause a nil pointer dereference during entry canonicalization, as validate() may return nil for empty message and Canonicalize() dereferences sign1Msg.Payload....