The Central Go Module Repository for the Community
813,012 Versions Indexed
Host your Go-based applications for free on the JFrog Platform
Getting Started
export GOPROXY=https://gocenter.io
Recent Vulnerabilities
The following CVEs are the most recent issues associated with Go modules across GoCenter. Learn more.
| CVE | Severity | Effected Modules | UsedBy | Description |
|---|---|---|---|---|
| CVE-2020-15266 | Unknown | (1) | (37) | In Tensorflow before version 2.4.0, when the `boxes` argument of `tf.image.crop_and_resize` has a very large value, the CPU kernel implementation receives it as a C++ `nan` floating point value. Attempting to operate on this is undefined behavior which later produces a segmentation fault. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. |
| CVE-2020-15265 | Unknown | (1) | (37) | In Tensorflow before version 2.4.0, an attacker can pass an invalid `axis` value to `tf.quantization.quantize_and_dequantize`. This results in accessing a dimension outside the rank of the input tensor in the C++ kernel implementation. However, dim_size only does a DCHECK to validate the argument and then uses it to access the corresponding element of an array. Since in normal builds, `DCHECK`-like macros are no-ops, this results in segfault and access out of bounds of the array. The issue is patched in eccb7ec454e6617738554a255d77f08e60ee0808 and TensorFlow 2.4.0 will be released containing the patch. TensorFlow nightly packages after this commit will also have the issue resolved. |
| CVE-2016-11067 | Medium | (2) | (4) | An issue was discovered in Mattermost Server before 3.2.0. It allowed crafted posts that could cause a web browser to hang. |
| CVE-2016-11066 | Medium | (2) | (4) | An issue was discovered in Mattermost Server before 3.2.0. The initial_load API disclosed unnecessary personal information. |
| CVE-2020-8929 | Unknown | (3) | (10) | A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext. |
| CVE-2020-15867 | Medium | (3) | (12) | The git hook feature in Gogs 0.5.5 through 0.12.2 allows for authenticated remote code execution. |
| CVE-2016-11083 | Medium | (2) | (0) | An issue was discovered in Mattermost Server before 2.2.0. It allows XSS because it configures files to be opened in a browser window. |
| CVE-2020-14144 | Medium | (2) | (6) | The git hook feature in Gitea 1.1.0 through 1.12.5 allows for authenticated remote code execution. |
| CVE-2020-15157 | Unknown | (1) | (239) | In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format includes a URL for the location of a specific image layer (otherwise known as a ?foreign layer?), the default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or later, the default containerd resolver will provide its authentication credentials if the server where the URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker publishes a public image with a manifest that directs one of the layers to be fetched from a web server they control and they trick a user or system into pulling the image, they can obtain the credentials used for pulling that image. In some cases, this may be the user's username and password for the registry. In other cases, this may be the credentials attached to the cloud virtual instance which can grant access to other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin (which can be used by Kubernetes), the ctr development tool, and other client programs that have explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources. Other container runtimes built on top of containerd but not using the default resolver (such as Docker) are not affected. |
| CVE-2020-15229 | Unknown | (1) | (0) | Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. All users are advised to upgrade to 3.6.4 especially if they use Singularity mainly for building image as root user. There is no solid workaround except to temporary avoid to use unprivileged mode with single file images in favor of sandbox images instead. Regarding image build, temporary avoid to build from `library` and `shub` sources and as much as possible use `--fakeroot` or a VM for that. |
| CVE-2017-18874 | Medium | (2) | (0) | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can achieve directory traversal. |
| CVE-2017-18876 | Medium | (2) | (0) | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can test for the existence of an arbitrary file. |
| CVE-2017-18878 | Medium | (2) | (0) | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session. |
| CVE-2017-18879 | Medium | (2) | (0) | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the author_link field of a Slack attachment. |
| CVE-2020-26160 | Medium | (4) | (4815) | jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. |
| CVE-2017-18884 | Medium | (2) | (4) | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows attackers to gain privileges by using a registered OAuth application with personal access tokens. |
| CVE-2017-18889 | Medium | (2) | (0) | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. An attacker could create fictive system-message posts via webhooks and slash commands, in the v3 or v4 REST API. |
| CVE-2020-13347 | High | (1) | (1) | A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable. |
| CVE-2017-18875 | Medium | (2) | (0) | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 when local storage for files is used. A System Admin can create arbitrary files. |
| CVE-2017-18886 | Medium | (2) | (3) | An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows a bypass of restrictions on use of slash commands. |
Community News