nyxfqq
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| Gorush v1.18.4 was discovered to use a deprecated version of TLS. | |
| In the RunHTTPServer function within the server_normal.go file | |
| of the appleboy/gorush/router package, our server currently supports TLS 1.0 and TLS 1.1. | |
| Impact: | |
| Continuing to support TLS 1.0 and TLS 1.1 exposes our | |
| application to potential security risks, including but not limited to: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| cortex v0.42.1 is configured to skip TLS certificate verification, | |
| possibly allowing attackers to execute a man-in-the-middle attack. | |
| In Cortex CLI, the export command, which triggers the makeOperatorRequest | |
| function within cortexlabs/cortex/cli/cluster/lib_http_client.go, | |
| establishes TLS connections with InsecureSkipVerify set to true. | |
| This configuration allows the client to bypass TLS certificate verification, | |
| undermining the security of the TLS connection and exposing the |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| An issue was discovered in casdoor v1.636.0. The usage of the | |
| ssh.InsecureIgnoreHostKey() disables host key verification, possibly | |
| allowing attackers to obtain sensitive information via a | |
| man-in-the-middle attack. | |
| In casdoor/casdoor/object/viaSSHDialer.go, | |
| the InsecureIgnoreHostKey() method is used when establishing SSH | |
| connections. This method disables host key checking, effectively | |
| ignoring any potential discrepancies between the expected and |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| immudb v1.9.3 was discovered to use the HTTP protocol in the | |
| ShowMetricsRaw and ShowMetricsAsText functions, possibly allowing | |
| attackers to intercept communications via a man-in-the-middle attack. | |
| ------------------------------------------ | |
| [VulnerabilityType Other] | |
| CWE-319 | |
| ------------------------------------------ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| The encrypt function of netbird v0.28.4 was discovered to use a static | |
| initialization vector (IV), possibly compromising the security of | |
| sensitive data. | |
| in the Encrypt function located in the crypt.go file (part of the | |
| github.com/netbirdio/netbird/management/server/activity/sqlite package) | |
| utilizes a static initialization vector (IV). This practice is known to | |
| compromise the security of the encrypted data, as using a predictable | |
| IV can lead to pattern leaks and potentially allow attackers to infer | |
| information about the plaintext. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| Navidrome v0.52.3 was discovered to use an insecure hashing algorithm | |
| to generate URLs. | |
| the official Gravatar documentation now advocates using SHA-256 to generate URLs, | |
| as demonstrated in their API example (https://docs.gravatar.com/api/avatars/go/). | |
| An MD5-based URL could potentially lead to situations where an attacker change | |
| another user's info under a controlled email address, introducing security | |
| vulnerabilities due to the known weaknesses of the MD5 algorithm. Although |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| An issue was discovered in filestash v0.4. The usage of the | |
| ssh.InsecureIgnoreHostKey() disables host key verification, possibly | |
| allowing attackers to obtain sensitive information via a | |
| man-in-the-middle attack. | |
| ------------------------------------------ | |
| [VulnerabilityType Other] | |
| CWE305 CWE306 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| Default configurations in the ShareProofVerifier function of filestash | |
| v0.4 causes the application to skip the TLS certificate verification | |
| process when sending out email verification codes, possibly allowing | |
| attackers to access sensitive data via a man-in-the-middle attack. | |
| In the current implementation of the ShareProofVerifier function within share.go | |
| found at github.com/m/mickael-kerjean/filestash/server/model, | |
| the TLS verification is being bypassed when sending out email | |
| verification codes. This practice is explicitly warned against in |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| An issue was discovered in litestream v0.3.13. The usage of the | |
| ssh.InsecureIgnoreHostKey() disables host key verification, possibly | |
| allowing attackers to obtain sensitive information via a | |
| man-in-the-middle attack. | |
| ------------------------------------------ | |
| [VulnerabilityType Other] | |
| CWE305 306 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Suggested description] | |
| goframe v2.7.2 is configured to skip TLS certificate verification, | |
| possibly allowing attackers to execute a man-in-the-middle attack. | |
| the GHTTP client in our project is configured by default to skip | |
| TLS certificate verification. This default setting undermines | |
| security by exposing connections to potential man-in-the-middle | |
| attacks and compromising data integrity. | |
| ------------------------------------------ |
NewerOlder