csaf_opensuse - opensuse-su-2025:14653-1

opensuse-su-2025:14653-1

Vulnerability from csaf_opensuse

Published

2025-01-16 00:00

Modified

2025-01-16 00:00

Summary

govulncheck-vulndb-0.0.20250115T172141-1.1 on GA media

Notes

Title of the patch

govulncheck-vulndb-0.0.20250115T172141-1.1 on GA media

Description of the patch

These are all security issues fixed in the govulncheck-vulndb-0.0.20250115T172141-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-14653

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "govulncheck-vulndb-0.0.20250115T172141-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20250115T172141-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-14653",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_14653-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:14653-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3ISCFQBRATG2LAA3K5XNETXSCP77AAKA/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:14653-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3ISCFQBRATG2LAA3K5XNETXSCP77AAKA/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-51491 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-51491/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-52281 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-52281/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-53263 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-53263/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-56138 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-56138/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-56323 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-56323/"
      }
    ],
    "title": "govulncheck-vulndb-0.0.20250115T172141-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-01-16T00:00:00Z",
      "generator": {
        "date": "2025-01-16T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:14653-1",
      "initial_release_date": "2025-01-16T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-01-16T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
                  "product_id": "govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
                  "product_id": "govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
                  "product_id": "govulncheck-vulndb-0.0.20250115T172141-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64",
                  "product_id": "govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-51491",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-51491"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab\u0027s security audit on the Certificate Revocation List (CRL) based revocation check feature.\nAfter retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination. In method `crl.(*FileCache).Set`, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated `notation` cache directory thanks `os.Rename`. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on rename syscall from the libc and as per the documentation, moving a file to a different mountpoint raises an EXDEV error, interpreted as Cross device link not permitted error. Some Linux distribution, like RedHat use a dedicated filesystem (tmpfs), mounted on a specific mountpoint (usually /tmp) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash notation. As a result the signature verification process is aborted as process crashes. This issue has been addressed in version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-51491",
          "url": "https://www.suse.com/security/cve/CVE-2024-51491"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-16T00:00:00Z",
          "details": "low"
        }
      ],
      "title": "CVE-2024-51491"
    },
    {
      "cve": "CVE-2024-52281",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-52281"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field.\nThis issue affects rancher: from 2.9.0 before 2.9.4.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-52281",
          "url": "https://www.suse.com/security/cve/CVE-2024-52281"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1233339 for CVE-2024-52281",
          "url": "https://bugzilla.suse.com/1233339"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-16T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-52281"
    },
    {
      "cve": "CVE-2024-53263",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-53263"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host\u0027s URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user\u0027s Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-53263",
          "url": "https://www.suse.com/security/cve/CVE-2024-53263"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1235876 for CVE-2024-53263",
          "url": "https://bugzilla.suse.com/1235876"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-16T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-53263"
    },
    {
      "cve": "CVE-2024-56138",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-56138"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab\u0027s audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-56138",
          "url": "https://www.suse.com/security/cve/CVE-2024-56138"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-16T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-56138"
    },
    {
      "cve": "CVE-2024-56323",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-56323"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2)  are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-56323",
          "url": "https://www.suse.com/security/cve/CVE-2024-56323"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20250115T172141-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-01-16T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-56323"
    }
  ]
}

CVE-2024-51491 (GCVE-0-2024-51491)

Vulnerability from cvelistv5

Published

2025-01-13 21:42

Modified

2025-01-14 00:19

Severity ?

3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CWE

CWE-703 - Improper Check or Handling of Exceptional Conditions

Summary

notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab's security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination. In method `crl.(*FileCache).Set`, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated `notation` cache directory thanks `os.Rename`. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on rename syscall from the libc and as per the documentation, moving a file to a different mountpoint raises an EXDEV error, interpreted as Cross device link not permitted error. Some Linux distribution, like RedHat use a dedicated filesystem (tmpfs), mounted on a specific mountpoint (usually /tmp) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash notation. As a result the signature verification process is aborted as process crashes. This issue has been addressed in version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

References

►

URL

Tags

	https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp	x_refsource_CONFIRM
	https://github.com/notaryproject/notation-go/commit/3c3302258ad510fbca2f8a73731569d91f07d196	x_refsource_MISC
	https://man7.org/linux/man-pages/man2/rename.2.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	notaryproject	notation-go	Version: = 1.3.0-rc.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51491",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T00:18:53.695137Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T00:19:12.573Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "notation-go",
          "vendor": "notaryproject",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.3.0-rc.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. The issue was identified during Quarkslab\u0027s security audit on the Certificate Revocation List (CRL) based revocation check feature.\nAfter retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination. In method `crl.(*FileCache).Set`, a temporary file is created in the OS dedicated area (like /tmp for, usually, Linux/Unix). The file is written and then it is tried to move it to the dedicated `notation` cache directory thanks `os.Rename`. As specified in Go documentation, OS specific restriction may apply. When used with Linux OS, it is relying on rename syscall from the libc and as per the documentation, moving a file to a different mountpoint raises an EXDEV error, interpreted as Cross device link not permitted error. Some Linux distribution, like RedHat use a dedicated filesystem (tmpfs), mounted on a specific mountpoint (usually /tmp) for temporary files. When using such OS, revocation check based on CRL will repeatedly crash notation. As a result the signature verification process is aborted as process crashes. This issue has been addressed in version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-703",
              "description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-13T21:42:11.493Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp"
        },
        {
          "name": "https://github.com/notaryproject/notation-go/commit/3c3302258ad510fbca2f8a73731569d91f07d196",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/notaryproject/notation-go/commit/3c3302258ad510fbca2f8a73731569d91f07d196"
        },
        {
          "name": "https://man7.org/linux/man-pages/man2/rename.2.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://man7.org/linux/man-pages/man2/rename.2.html"
        }
      ],
      "source": {
        "advisory": "GHSA-qjh3-4j3h-vmwp",
        "discovery": "UNKNOWN"
      },
      "title": "Process crash during CRL-based revocation check on OS using separate mount point for temp Directory in notation-go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51491",
    "datePublished": "2025-01-13T21:42:11.493Z",
    "dateReserved": "2024-10-28T14:20:59.337Z",
    "dateUpdated": "2025-01-14T00:19:12.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56138 (GCVE-0-2024-56138)

Vulnerability from cvelistv5

Published

2025-01-13 21:37

Modified

2025-01-14 00:26

Severity ?

4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-299 - Improper Check for Certificate Revocation

Summary

notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

References

►

URL

Tags

	https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v	x_refsource_CONFIRM
	https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	notaryproject	notation-go	Version: < 1.3.0-rc.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56138",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T00:25:46.882500Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T00:26:00.838Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "notation-go",
          "vendor": "notaryproject",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.0-rc.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab\u0027s audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-299",
              "description": "CWE-299: Improper Check for Certificate Revocation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-13T21:37:59.729Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v"
        },
        {
          "name": "https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102"
        }
      ],
      "source": {
        "advisory": "GHSA-45v3-38pc-874v",
        "discovery": "UNKNOWN"
      },
      "title": "Timestamp signature generation lacks certificate revocation check in notion-go"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-56138",
    "datePublished": "2025-01-13T21:37:59.729Z",
    "dateReserved": "2024-12-16T17:30:30.068Z",
    "dateUpdated": "2025-01-14T00:26:00.838Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-56323 (GCVE-0-2024-56323)

Vulnerability from cvelistv5

Published

2025-01-13 21:33

Modified

2025-01-14 00:29

Severity ?

5.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

CWE

CWE-285 - Improper Authorization

Summary

OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2) are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability.

References

►

URL

Tags

https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	openfga	openfga	Version: >=1.3.8, <1.8.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-56323",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-14T00:29:46.209818Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-14T00:29:58.019Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openfga",
          "vendor": "openfga",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e=1.3.8, \u003c1.8.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenFGA is an authorization/permission engine. IN OpenFGA v1.3.8 to v1.8.2 (Helm chart openfga-0.1.38 to openfga-0.2.19, docker v1.3.8 to v.1.8.2)  are vulnerable to authorization bypass under the following conditions: 1. calling Check API or ListObjects with a model that uses [conditions](https://openfga.dev/docs/modeling/conditions), and 2. calling Check API or ListObjects API with [contextual tuples](https://openfga.dev/docs/concepts#what-are-contextual-tuples) that include conditions and 3. OpenFGA is configured with caching enabled (`OPENFGA_CHECK_QUERY_CACHE_ENABLED`). Users are advised to upgrade to v1.8.3. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-13T21:33:30.556Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openfga/openfga/security/advisories/GHSA-32q6-rr98-cjqv"
        }
      ],
      "source": {
        "advisory": "GHSA-32q6-rr98-cjqv",
        "discovery": "UNKNOWN"
      },
      "title": "OpenFGA Authorization Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-56323",
    "datePublished": "2025-01-13T21:33:30.556Z",
    "dateReserved": "2024-12-18T23:44:51.604Z",
    "dateUpdated": "2025-01-14T00:29:58.019Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-52281 (GCVE-0-2024-52281)

Vulnerability from cvelistv5

Published

2025-04-16 08:31

Modified

2025-04-18 03:55

Severity ?

8.9 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary

A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects rancher: from 2.9.0 before 2.9.4.

References

►

URL

Tags

	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-52281
	https://github.com/rancher/rancher/security/advisories/GHSA-2v2w-8v8c-wcm9

Impacted products

	Vendor	Product	Version
	SUSE	rancher	Version: 2.9.0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52281",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-17T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-18T03:55:42.362Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "github.com/rancher/rancher",
          "product": "rancher",
          "vendor": "SUSE",
          "versions": [
            {
              "lessThan": "2.9.4",
              "status": "affected",
              "version": "2.9.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was identified and reported by Bhavin Makwana from Workday\u2019s Cyber Defence Team"
        }
      ],
      "datePublic": "2025-01-14T21:03:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field.\u003cbr\u003e\u003cp\u003eThis issue affects rancher: from 2.9.0 before 2.9.4.\u003c/p\u003e"
            }
          ],
          "value": "A: Improper Neutralization of Input During Web Page Generation vulnerability in SUSE rancher allows a malicious actor to perform a Stored XSS attack through the cluster description field.\nThis issue affects rancher: from 2.9.0 before 2.9.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0026#39;Cross-site Scripting\u0026#39;)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-16T08:31:11.378Z",
        "orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
        "shortName": "suse"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-52281"
        },
        {
          "url": "https://github.com/rancher/rancher/security/advisories/GHSA-2v2w-8v8c-wcm9"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Stored Cross-site Scripting vulnerability in Rancher UI",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
    "assignerShortName": "suse",
    "cveId": "CVE-2024-52281",
    "datePublished": "2025-04-16T08:31:11.378Z",
    "dateReserved": "2024-11-06T12:19:57.723Z",
    "dateUpdated": "2025-04-18T03:55:42.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-53263 (GCVE-0-2024-53263)

Vulnerability from cvelistv5

Published

2025-01-14 19:33

Modified

2025-01-28 04:55

Severity ?

8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Summary

Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.

References

►

URL

Tags

	https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7	x_refsource_CONFIRM
	https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90	x_refsource_MISC
	https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	git-lfs	git-lfs	Version: >= 0.1.0, < 3.6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53263",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-27T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-28T04:55:24.382Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-01-23T18:03:25.138Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "git-lfs",
          "vendor": "git-lfs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.1.0, \u003c 3.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host\u0027s URL to the `git-credential(1)` command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user\u0027s Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T19:33:21.876Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7"
        },
        {
          "name": "https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90"
        },
        {
          "name": "https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1"
        }
      ],
      "source": {
        "advisory": "GHSA-q6r2-x2cc-vrp7",
        "discovery": "UNKNOWN"
      },
      "title": "Git LFS permits exfiltration of credentials via crafted HTTP URLs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53263",
    "datePublished": "2025-01-14T19:33:21.876Z",
    "dateReserved": "2024-11-19T20:08:14.481Z",
    "dateUpdated": "2025-01-28T04:55:24.382Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2025:14653-1

Vulnerability from csaf_opensuse

CVE-2024-51491 (GCVE-0-2024-51491)

Vulnerability from cvelistv5

CVE-2024-56138 (GCVE-0-2024-56138)

Vulnerability from cvelistv5

CVE-2024-56323 (GCVE-0-2024-56323)

Vulnerability from cvelistv5

CVE-2024-52281 (GCVE-0-2024-52281)

Vulnerability from cvelistv5

CVE-2024-53263 (GCVE-0-2024-53263)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature