katerinaorg / notary Goto Github PK
View Code? Open in Web Editor NEWThis project forked from notaryproject/notary
Notary is a project that allows anyone to have trust over arbitrary collections of data
License: Apache License 2.0
This project forked from notaryproject/notary
Notary is a project that allows anyone to have trust over arbitrary collections of data
License: Apache License 2.0
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/go-yaml/yaml/tree/v2.2.8
Release Date: 2020-04-01
Fix Resolution: v2.2.8
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
In etcd before versions 3.3.23 and 3.4.10, certain directory paths are created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients) with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already. A possible workaround is to ensure the directories have the desired permission (700).
Publish Date: 2020-08-05
URL: CVE-2020-15113
Base Score Metrics:
Type: Upgrade version
Origin: etcd-io/etcd@v3.4.9...v3.4.10
Release Date: 2020-07-21
Fix Resolution: 3.4.10, 3.3.23
Notary is a project that allows anyone to have trust over arbitrary collections of data
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
Publish Date: 2020-07-17
URL: CVE-2020-14039
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14039
Release Date: 2020-07-17
Fix Resolution: 1.13.13,1.14.5
Notary is a project that allows anyone to have trust over arbitrary collections of data
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.
Publish Date: 2021-05-27
URL: CVE-2021-31525
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341
Release Date: 2021-04-22
Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic in decodeRecord method. The size of a record is stored in the length field of a WAL file and no additional validation is done on this data. Therefore, it is possible to forge an extremely large frame size that can unintentionally panic at the expense of any RAFT participant trying to decode the WAL.
Publish Date: 2020-08-05
URL: CVE-2020-15106
Base Score Metrics:
Type: Upgrade version
Origin: etcd-io/etcd@v3.4.9...v3.4.10
Release Date: 2020-07-21
Fix Resolution: 3.4.10, 3.3.23
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime panic when reading the entry.
Publish Date: 2020-08-05
URL: CVE-2020-15112
Base Score Metrics:
Type: Upgrade version
Origin: etcd-io/etcd@v3.4.9...v3.4.10
Release Date: 2020-07-21
Fix Resolution: 3.4.10, 3.3.23
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
Publish Date: 2018-04-03
URL: CVE-2018-1099
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1099
Release Date: 2018-04-03
Fix Resolution: v3.4.0-rc.0
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures.
Publish Date: 2017-03-28
URL: CVE-2016-9123
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9123
Release Date: 2017-03-28
Fix Resolution: 1.0.5
⛑️ Automatic Remediation is available for this issue
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.
Publish Date: 2017-03-28
URL: CVE-2016-9121
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9121
Release Date: 2017-03-28
Fix Resolution: 1.0.4
⛑️ Automatic Remediation is available for this issue
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Notary is a project that allows anyone to have trust over arbitrary collections of data
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040
Release Date: 2020-06-17
Fix Resolution: text - v0.3.3
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.
Publish Date: 2021-06-02
URL: CVE-2021-3538
Base Score Metrics:
Type: Upgrade version
Origin: satori/go.uuid#75
Release Date: 2021-06-02
Fix Resolution: github.com/satori/go.uuid - 75cca531ea763666bc46e531da3b4c3b95f64557
⛑️ Automatic Remediation is available for this issue
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.
Publish Date: 2018-04-03
URL: CVE-2018-1098
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1098
Release Date: 2018-04-03
Fix Resolution: v3.4.0-rc.0
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
etcd before versions 3.3.23 and 3.4.10 does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This may allow an attacker to guess or brute-force users' passwords with little computational effort.
Publish Date: 2020-08-06
URL: CVE-2020-15115
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/etcd-io/etcd/tree/v3.4.10
Release Date: 2020-07-21
Fix Resolution: 3.4.10, 3.3.23
Notary is a project that allows anyone to have trust over arbitrary collections of data
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
Publish Date: 2018-12-14
URL: CVE-2018-16875
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-16875
Release Date: 2018-12-14
Fix Resolution: 1.10.6,1.11.3
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.
Publish Date: 2017-03-28
URL: CVE-2016-9122
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9122
Release Date: 2017-03-28
Fix Resolution: 1.0.4
⛑️ Automatic Remediation is available for this issue
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication is only applied to endpoints detected in DNS SRV records. When starting a gateway, TLS authentication will only be attempted on endpoints identified in DNS SRV records for a given domain, which occurs in the discoverEndpoints function. No authentication is performed against endpoints provided in the --endpoints flag. This has been fixed in versions 3.4.10 and 3.3.23 with improved documentation and deprecation of the functionality.
Publish Date: 2020-08-06
URL: CVE-2020-15136
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/etcd-io/etcd/tree/v3.4.10
Release Date: 2020-07-21
Fix Resolution: 3.4.10, 3.3.23
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simple TCP proxy to allow for basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This results in a denial of service, since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway.
Publish Date: 2020-08-06
URL: CVE-2020-15114
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/etcd-io/etcd/tree/v3.4.10
Release Date: 2020-07-21
Fix Resolution: 3.4.10, 3.3.23
The toolkit to pack, ship, store, and deliver container content
Dependency Hierarchy:
Distributed reliable key-value store for the most critical data of a distributed system
Dependency Hierarchy:
Found in HEAD commit: 549c2321b216d811654d8e364e811dbca812a5a6
Found in base branch: master
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
Base Score Metrics:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.