VYPR

rpm package

opensuse/rekor&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/rekor&distro=openSUSE%20Tumbleweed

Vulnerabilities (14)

  • CVE-2026-24117Jan 22, 2026
    affected < 1.5.0-1.1fixed 1.5.0-1.1

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the reque

  • CVE-2026-23831Jan 22, 2026
    affected < 1.5.0-1.1fixed 1.5.0-1.1

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (succe

  • CVE-2025-58181Nov 19, 2025
    affected < 1.5.0-1.1fixed 1.5.0-1.1

    SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption.

  • CVE-2025-58058MedAug 28, 2025
    affected < 1.4.1-1.1fixed 1.4.1-1.1

    xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the

  • CVE-2025-30204HigMar 21, 2025
    affected < 1.3.10-1.1fixed 1.3.10-1.1

    golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a maliciou

  • CVE-2025-29923LowMar 20, 2025
    affected < 1.4.1-1.1fixed 1.4.1-1.1

    go-redis is the official Redis client library for the Go programming language. Prior to 9.5.5, 9.6.3, and 9.7.3, go-redis potentially responds out of order when `CLIENT SETINFO` times out during connection establishment. This can happen when the client is configured to transmit i

  • CVE-2025-22868Feb 26, 2025
    affected < 1.3.10-1.1fixed 1.3.10-1.1

    An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.

  • CVE-2025-22869Feb 26, 2025
    affected < 1.3.10-1.1fixed 1.3.10-1.1

    SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

  • CVE-2025-27144MedFeb 24, 2025
    affected < 1.3.10-1.1fixed 1.3.10-1.1

    Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when par

  • CVE-2024-6104Jun 24, 2024
    affected < 1.3.10-1.1fixed 1.3.10-1.1

    go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

  • CVE-2023-45288HigApr 4, 2024
    affected < 1.3.10-1.1fixed 1.3.10-1.1

    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma

  • CVE-2023-48795MedDec 18, 2023
    affected < 1.3.5-1.1fixed 1.3.5-1.1

    The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end

  • CVE-2023-33199May 26, 2023
    affected < 1.2.1-1.1fixed 1.2.1-1.1

    Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client re

  • CVE-2023-30551May 8, 2023
    affected < 1.1.1-2.1fixed 1.1.1-2.1

    Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can