rpm package
opensuse/velero&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/velero&distro=openSUSE%20Tumbleweed
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45338 | Med | 5.3 | < 1.15.1-1.1 | 1.15.1-1.1 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-45337 | Cri | 9.1 | < 1.15.1-1.1 | 1.15.1-1.1 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2023-39325 | — | < 1.12.1-1.1 | 1.12.1-1.1 | Oct 11, 2023 | A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 1.12.2-1.1 | 1.12.2-1.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2022-41717 | — | < 1.11.1-1.1 | 1.11.1-1.1 | Dec 8, 2022 | An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s | ||
| CVE-2022-1962 | — | < 1.9.2-1.1 | 1.9.2-1.1 | Aug 9, 2022 | Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations. | ||
| CVE-2022-27191 | — | < 1.11.1-1.1 | 1.11.1-1.1 | Mar 18, 2022 | The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey. | ||
| CVE-2021-3121 | — | < 1.7.0-1.1 | 1.7.0-1.1 | Jan 11, 2021 | An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue. | ||
| CVE-2020-29652 | — | < 1.7.1-1.1 | 1.7.1-1.1 | Dec 17, 2020 | A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers. | ||
| CVE-2020-3996 | — | < 1.6.3-1.2 | 1.6.3-1.2 | Oct 22, 2020 | Velero (prior to 1.4.3 and 1.5.2) in some instances doesn’t properly manage volume identifiers which may result in information leakage to unauthorized users. |
- affected < 1.15.1-1.1fixed 1.15.1-1.1
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 1.15.1-1.1fixed 1.15.1-1.1
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- CVE-2023-39325Oct 11, 2023affected < 1.12.1-1.1fixed 1.12.1-1.1
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
- affected < 1.12.2-1.1fixed 1.12.2-1.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2022-41717Dec 8, 2022affected < 1.11.1-1.1fixed 1.11.1-1.1
An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the s
- CVE-2022-1962Aug 9, 2022affected < 1.9.2-1.1fixed 1.9.2-1.1
Uncontrolled recursion in the Parse functions in go/parser before Go 1.17.12 and Go 1.18.4 allow an attacker to cause a panic due to stack exhaustion via deeply nested types or declarations.
- CVE-2022-27191Mar 18, 2022affected < 1.11.1-1.1fixed 1.11.1-1.1
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
- CVE-2021-3121Jan 11, 2021affected < 1.7.0-1.1fixed 1.7.0-1.1
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
- CVE-2020-29652Dec 17, 2020affected < 1.7.1-1.1fixed 1.7.1-1.1
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
- CVE-2020-3996Oct 22, 2020affected < 1.6.3-1.2fixed 1.6.3-1.2
Velero (prior to 1.4.3 and 1.5.2) in some instances doesn’t properly manage volume identifiers which may result in information leakage to unauthorized users.