11 matches found
CVE-2019-9514
CVE-2019-9514 corresponds to an HTTP/2 vulnerability where an attacker floods a peer by sending HEADERS frames, causing unbounded memory growth and potential DoS. Public details in connected advisories show affected stacks include Go HTTP/2 implementations and Go-based tools, with remediation via...
CVE-2018-1002105
CVE-2018-1002105 affects Kubernetes: before versions v1.10.11, v1.11.5, and v1.12.3, the kube-apiserver mishandles error responses to proxied upgrade requests. This flaw lets specially crafted requests establish a connection through the API server to backends and then send arbitrary requests over...
CVE-2021-34558
CVE-2021-34558 affects the Go crypto/tls implementation. In Go up to 1.16.5, the certificate public-key type is not properly validated for RSA-based key exchanges, allowing a TLS server to trigger a panic in the client. Several connected advisories link this to Go’s TLS handling and note remediat...
CVE-2020-28362
CVE-2020-28362 affects Go up to 1.14.12 and 1.15.x up to 1.15.4. The issue is a Denial of Service caused by a panic in math/big during recursive division of very large numbers, exploitable via Go tooling/build processes. Remediation: upgrade Go to a remediate version (Go 1.14.12+ or 1.15.4+ as ap...
CVE-2020-28366
CVE-2020-28366 affects the Go toolchain: code injection/arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file, impacting go commands using cgo before Go 1.14.12 and Go 1.15.5. The described impact is at build time, not runtime, with a high-severity pr...
CVE-2020-29509
CVE-2020-29509 affects the Go encoding/xml package (all versions) where tokenization round-trips do not preserve attribute namespace prefixes, enabling inputs that behave inconsistently across processing stages in affected downstream applications. Connected sources confirm the vulnerability in Go...
CVE-2020-29511
CVE-2020-29511 affects the Go standard library encoding/xml. The initial description states that all Go versions fail to preserve the semantics of element namespace prefixes during tokenization round-trips, enabling inputs that may behave inconsistently across processing stages in affected downst...
CVE-2019-11244
CVE-2019-11244 affects Kubernetes kubectl caching: in Kubernetes v1.8.x–v1.14.x, schema info is cached in a world-writable directory by default at --cache-dir (often $HOME/.kube/http-cache). If the cache-dir is accessible to other users, files may be modified and disrupt kubectl invocation. Publi...
CVE-2021-25742
CVE-2021-25742 affects the Kubernetes NGINX Ingress Controller via the custom snippets feature. A user who can create or update ingress objects can exploit this flaw to obtain all secrets in the cluster (cross-namespace access). This is tied to ingress-nginx behavior rather than a generic service...
CVE-2020-29510
CVE-2020-29510 concerns the encoding/xml package in Go versions 1.15 and earlier, where tokenization round-trips fail to preserve directive semantics. This can let an attacker craft inputs that behave differently across processing stages in affected downstream applications. The connected OSV entr...
CVE-2019-11243
Kubernetes CVE-2019-11243 affects v1.12.0–v1.12.4 and v1.13.0, where rest.AnonymousClientConfig() copies the config without clearing service account credentials loaded via rest.InClusterConfig(), potentially exposing credentials. Upgrade to a fixed version per vendor advisories.