Go Vulnerability Database
Data about new vulnerabilities come directly from Go package maintainers or sources such as MITRE and GitHub. Reports are curated by the Go Security team. Learn more at go.dev/security/vuln.
Search
Recent Reports
- CVE-2024-35223, GHSA-284c-x8m7-9w5h
- Affects: github.com/dapr/dapr
- Published: May 24, 2024
- Unreviewed
Dapr API Token Exposure in github.com/dapr/dapr
- GHSA-qjcv-rx3v-7mvj
- Affects: github.com/cosmos/ibc-go, github.com/cosmos/ibc-go/v2, and 5 more
- Published: May 23, 2024
The ibc-go module is affected by the Inter-Blockchain Communication (IBC) protocol "Huckleberry" vulnerability. The vulnerability allowed an attacker to send arbitrary transactions onto target chains and trigger arbitrary state transitions, including but not limited to, theft of funds. It was possible to exploit this vulnerability in specific situations involving relaying packets in which the source chain is also the final destination chain. Affected networks are those that allow for fee grant capabilities and use a native Relayer (e.g., Osmosis and Juno).
- CVE-2024-35192, GHSA-xcq4-m2r3-cmrj
- Affects: github.com/aquasecurity/trivy
- Published: May 22, 2024
A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.
- CVE-2024-35185, GHSA-fjw8-3gp8-4cvx
- Affects: github.com/stacklok/minder
- Published: May 20, 2024
- Unreviewed
Denial of service of Minder Server with attacker-controlled REST endpoint in github.com/stacklok/minder
- CVE-2024-3727, GHSA-6wvf-f2vw-3425
- Affects: github.com/containers/image/v5
- Published: May 20, 2024
An attacker may trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
If you don't see an existing, public Go vulnerability in a publicly importable package in our database, please let us know.