The Central Go Module Repository for the Community
904,814 Versions Indexed
Host your Go-based applications for free on the JFrog Platform
Getting Started
export GOPROXY=https://gocenter.io
Top Downloaded Modules
Recent Vulnerabilities
The following CVEs are the most recent issues associated with Go modules across GoCenter. Learn more.
| CVE | Severity | Effected Modules | UsedBy | Description |
|---|---|---|---|---|
| CVE-2020-26240 | Unknown | (1) | (803) | Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining nodes are unaffected. This issue is fixed as of 1.9.24 |
| CVE-2020-26241 | Unknown | (1) | (264) | Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that writes X to an EVM memory region R, then calls 0x00..04 with R as an argument, then overwrites R to Y, and finally invokes the RETURNDATACOPY opcode. When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y. This is fixed in version 1.9.17. |
| CVE-2020-26242 | Unknown | (1) | (13) | Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18. |
| CVE-2020-28348 | Unknown | (1) | (25) | HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8. |
| CVE-2020-28991 | Unknown | (3) | (6) | Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go. |
| CVE-2020-28053 | Unknown | (2) | (905) | HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed operators with operator:read ACL permissions to read the Connect CA private key configuration. Fixed in 1.6.10, 1.7.10, and 1.8.6. |
| CVE-2020-28924 | Unknown | (1) | (7) | An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed. |
| CVE-2020-28362 | Medium | (1) | (149) | Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service. |
| CVE-2020-13353 | Unknown | (1) | (0) | When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. Affected versions are: >=1.79.0, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2. |
| CVE-2018-17145 | Medium | (2) | (279) | Bitcoin Core 0.16.x before 0.16.2 and Bitcoin Knots 0.16.x before 0.16.2 allow remote denial of service via a flood of multiple transaction inv messages with random hashes, aka INVDoS. NOTE: this can also affect other cryptocurrencies, e.g., if they were forked from Bitcoin Core after 2017-11-15. |
| CVE-2020-28349 | Medium | (2) | (5) | ** DISPUTED ** An inaccurate frame deduplication process in ChirpStack Network Server 3.9.0 allows a malicious gateway to perform uplink Denial of Service via malformed frequency attributes in CollectAndCallOnceCollect in internal/uplink/collect.go. NOTE: the vendor's position is that there are no "guarantees that allowing untrusted LoRa gateways to the network should still result in a secure network." |
| CVE-2020-26521 | Medium | (3) | (443) | The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code). |
| CVE-2020-26892 | High | (2) | (347) | The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled. |
| CVE-2020-10937 | Medium | (1) | (13) | An issue was discovered in IPFS (aka go-ipfs) 0.4.23. An attacker can generate ephemeral identities (Sybils) and leverage the IPFS connection management reputation system to poison other nodes' routing tables, eclipsing the nodes that are the target of the attack from the rest of the network. Later versions, in particular go-ipfs 0.7, mitigate this. |
| CVE-2020-25201 | Medium | (2) | (269) | HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a namespace replication bug which can be triggered to cause denial of service via infinite Raft writes. Fixed in 1.7.9 and 1.8.5. |
| CVE-2020-27955 | High | (4) | (5) | Git LFS 2.12.0 allows Remote Code Execution. |
| CVE-2020-26213 | Medium | (1) | (0) | In teler before version 0.0.1, if you run teler inside a Docker container and encounter `errors.Exit` function, it will cause denial-of-service (`SIGSEGV`) because it doesn't get process ID and process group ID of teler properly to kills. The issue is patched in teler 0.0.1 and 0.0.1-dev5.1. |
| CVE-2020-25017 | High | (2) | (7) | Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy?s setCopy() header map API does not replace all existing occurences of a non-inline header. |
| CVE-2020-8663 | Medium | (2) | (7) | Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may exhaust file descriptors and/or memory when accepting too many connections. |
| CVE-2020-12604 | Medium | (2) | (7) | Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier is susceptible to increased memory usage in the case where an HTTP/2 client requests a large payload but does not send enough window updates to consume the entire stream and does not reset the stream. |
Community News