Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:rpm/redhat/openshift-pipelines-client@1.15.0-11496?arch=el8
Typerpm
Namespaceredhat
Nameopenshift-pipelines-client
Version1.15.0-11496
Qualifiers
arch el8
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-aj2b-56uj-gkar
vulnerability_id VCID-aj2b-56uj-gkar
summary 
net/http, x/net/http2: close connections when receiving too many headers
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45288.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45288.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-45288
reference_id
reference_type
scores
0
value 0.71463
scoring_system epss
scoring_elements 0.9873
published_at 2026-04-21T12:55:00Z
1
value 0.71463
scoring_system epss
scoring_elements 0.98725
published_at 2026-04-11T12:55:00Z
2
value 0.71463
scoring_system epss
scoring_elements 0.98729
published_at 2026-04-16T12:55:00Z
3
value 0.71463
scoring_system epss
scoring_elements 0.98726
published_at 2026-04-13T12:55:00Z
4
value 0.71463
scoring_system epss
scoring_elements 0.98723
published_at 2026-04-08T12:55:00Z
5
value 0.71463
scoring_system epss
scoring_elements 0.98722
published_at 2026-04-09T12:55:00Z
6
value 0.71463
scoring_system epss
scoring_elements 0.98719
published_at 2026-04-04T12:55:00Z
7
value 0.71463
scoring_system epss
scoring_elements 0.98715
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-45288
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://go.dev/cl/576155
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/
url https://go.dev/cl/576155
5
reference_url https://go.dev/issue/65051
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/
url https://go.dev/issue/65051
6
reference_url https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/
url https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT
8
reference_url https://nowotarski.info/http2-continuation-flood-technical-details
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nowotarski.info/http2-continuation-flood-technical-details
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-45288
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-45288
10
reference_url https://pkg.go.dev/vuln/GO-2024-2687
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/
url https://pkg.go.dev/vuln/GO-2024-2687
11
reference_url https://security.netapp.com/advisory/ntap-20240419-0009
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20240419-0009
12
reference_url https://www.kb.cert.org/vuls/id/421644
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.kb.cert.org/vuls/id/421644
13
reference_url http://www.openwall.com/lists/oss-security/2024/04/03/16
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/
url http://www.openwall.com/lists/oss-security/2024/04/03/16
14
reference_url http://www.openwall.com/lists/oss-security/2024/04/05/4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/
url http://www.openwall.com/lists/oss-security/2024/04/05/4
15
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2268273
reference_id 2268273
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2268273
16
reference_url https://security.gentoo.org/glsa/202408-07
reference_id GLSA-202408-07
reference_type
scores
url https://security.gentoo.org/glsa/202408-07
17
reference_url https://security.netapp.com/advisory/ntap-20240419-0009/
reference_id ntap-20240419-0009
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/
url https://security.netapp.com/advisory/ntap-20240419-0009/
18
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
reference_id QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/
19
reference_url https://access.redhat.com/errata/RHSA-2024:1616
reference_id RHSA-2024:1616
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1616
20
reference_url https://access.redhat.com/errata/RHSA-2024:1668
reference_id RHSA-2024:1668
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1668
21
reference_url https://access.redhat.com/errata/RHSA-2024:1679
reference_id RHSA-2024:1679
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1679
22
reference_url https://access.redhat.com/errata/RHSA-2024:1681
reference_id RHSA-2024:1681
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1681
23
reference_url https://access.redhat.com/errata/RHSA-2024:1683
reference_id RHSA-2024:1683
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1683
24
reference_url https://access.redhat.com/errata/RHSA-2024:1892
reference_id RHSA-2024:1892
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1892
25
reference_url https://access.redhat.com/errata/RHSA-2024:1899
reference_id RHSA-2024:1899
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1899
26
reference_url https://access.redhat.com/errata/RHSA-2024:1962
reference_id RHSA-2024:1962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1962
27
reference_url https://access.redhat.com/errata/RHSA-2024:1963
reference_id RHSA-2024:1963
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1963
28
reference_url https://access.redhat.com/errata/RHSA-2024:2060
reference_id RHSA-2024:2060
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2060
29
reference_url https://access.redhat.com/errata/RHSA-2024:2062
reference_id RHSA-2024:2062
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2062
30
reference_url https://access.redhat.com/errata/RHSA-2024:2068
reference_id RHSA-2024:2068
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2068
31
reference_url https://access.redhat.com/errata/RHSA-2024:2079
reference_id RHSA-2024:2079
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2079
32
reference_url https://access.redhat.com/errata/RHSA-2024:2625
reference_id RHSA-2024:2625
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2625
33
reference_url https://access.redhat.com/errata/RHSA-2024:2664
reference_id RHSA-2024:2664
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2664
34
reference_url https://access.redhat.com/errata/RHSA-2024:2667
reference_id RHSA-2024:2667
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2667
35
reference_url https://access.redhat.com/errata/RHSA-2024:2668
reference_id RHSA-2024:2668
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2668
36
reference_url https://access.redhat.com/errata/RHSA-2024:2671
reference_id RHSA-2024:2671
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2671
37
reference_url https://access.redhat.com/errata/RHSA-2024:2699
reference_id RHSA-2024:2699
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2699
38
reference_url https://access.redhat.com/errata/RHSA-2024:2724
reference_id RHSA-2024:2724
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2724
39
reference_url https://access.redhat.com/errata/RHSA-2024:2728
reference_id RHSA-2024:2728
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2728
40
reference_url https://access.redhat.com/errata/RHSA-2024:2773
reference_id RHSA-2024:2773
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2773
41
reference_url https://access.redhat.com/errata/RHSA-2024:2865
reference_id RHSA-2024:2865
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2865
42
reference_url https://access.redhat.com/errata/RHSA-2024:2875
reference_id RHSA-2024:2875
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2875
43
reference_url https://access.redhat.com/errata/RHSA-2024:2892
reference_id RHSA-2024:2892
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2892
44
reference_url https://access.redhat.com/errata/RHSA-2024:2901
reference_id RHSA-2024:2901
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2901
45
reference_url https://access.redhat.com/errata/RHSA-2024:2929
reference_id RHSA-2024:2929
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2929
46
reference_url https://access.redhat.com/errata/RHSA-2024:2930
reference_id RHSA-2024:2930
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2930
47
reference_url https://access.redhat.com/errata/RHSA-2024:2932
reference_id RHSA-2024:2932
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2932
48
reference_url https://access.redhat.com/errata/RHSA-2024:2933
reference_id RHSA-2024:2933
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2933
49
reference_url https://access.redhat.com/errata/RHSA-2024:2935
reference_id RHSA-2024:2935
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2935
50
reference_url https://access.redhat.com/errata/RHSA-2024:2936
reference_id RHSA-2024:2936
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2936
51
reference_url https://access.redhat.com/errata/RHSA-2024:2941
reference_id RHSA-2024:2941
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2941
52
reference_url https://access.redhat.com/errata/RHSA-2024:3259
reference_id RHSA-2024:3259
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3259
53
reference_url https://access.redhat.com/errata/RHSA-2024:3314
reference_id RHSA-2024:3314
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3314
54
reference_url https://access.redhat.com/errata/RHSA-2024:3315
reference_id RHSA-2024:3315
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3315
55
reference_url https://access.redhat.com/errata/RHSA-2024:3316
reference_id RHSA-2024:3316
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3316
56
reference_url https://access.redhat.com/errata/RHSA-2024:3327
reference_id RHSA-2024:3327
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3327
57
reference_url https://access.redhat.com/errata/RHSA-2024:3331
reference_id RHSA-2024:3331
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3331
58
reference_url https://access.redhat.com/errata/RHSA-2024:3346
reference_id RHSA-2024:3346
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3346
59
reference_url https://access.redhat.com/errata/RHSA-2024:3467
reference_id RHSA-2024:3467
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3467
60
reference_url https://access.redhat.com/errata/RHSA-2024:3479
reference_id RHSA-2024:3479
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3479
61
reference_url https://access.redhat.com/errata/RHSA-2024:3523
reference_id RHSA-2024:3523
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3523
62
reference_url https://access.redhat.com/errata/RHSA-2024:3621
reference_id RHSA-2024:3621
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3621
63
reference_url https://access.redhat.com/errata/RHSA-2024:3637
reference_id RHSA-2024:3637
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3637
64
reference_url https://access.redhat.com/errata/RHSA-2024:3680
reference_id RHSA-2024:3680
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3680
65
reference_url https://access.redhat.com/errata/RHSA-2024:3781
reference_id RHSA-2024:3781
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3781
66
reference_url https://access.redhat.com/errata/RHSA-2024:3885
reference_id RHSA-2024:3885
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3885
67
reference_url https://access.redhat.com/errata/RHSA-2024:3889
reference_id RHSA-2024:3889
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3889
68
reference_url https://access.redhat.com/errata/RHSA-2024:4006
reference_id RHSA-2024:4006
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4006
69
reference_url https://access.redhat.com/errata/RHSA-2024:4010
reference_id RHSA-2024:4010
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4010
70
reference_url https://access.redhat.com/errata/RHSA-2024:4023
reference_id RHSA-2024:4023
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4023
71
reference_url https://access.redhat.com/errata/RHSA-2024:4034
reference_id RHSA-2024:4034
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4034
72
reference_url https://access.redhat.com/errata/RHSA-2024:4041
reference_id RHSA-2024:4041
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4041
73
reference_url https://access.redhat.com/errata/RHSA-2024:4125
reference_id RHSA-2024:4125
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4125
74
reference_url https://access.redhat.com/errata/RHSA-2024:4464
reference_id RHSA-2024:4464
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4464
75
reference_url https://access.redhat.com/errata/RHSA-2024:4484
reference_id RHSA-2024:4484
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4484
76
reference_url https://access.redhat.com/errata/RHSA-2024:4543
reference_id RHSA-2024:4543
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4543
77
reference_url https://access.redhat.com/errata/RHSA-2024:4545
reference_id RHSA-2024:4545
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4545
78
reference_url https://access.redhat.com/errata/RHSA-2024:4546
reference_id RHSA-2024:4546
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4546
79
reference_url https://access.redhat.com/errata/RHSA-2024:4631
reference_id RHSA-2024:4631
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4631
80
reference_url https://access.redhat.com/errata/RHSA-2024:4677
reference_id RHSA-2024:4677
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4677
81
reference_url https://access.redhat.com/errata/RHSA-2024:4933
reference_id RHSA-2024:4933
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4933
82
reference_url https://access.redhat.com/errata/RHSA-2024:4934
reference_id RHSA-2024:4934
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4934
83
reference_url https://access.redhat.com/errata/RHSA-2024:4982
reference_id RHSA-2024:4982
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4982
84
reference_url https://access.redhat.com/errata/RHSA-2024:5013
reference_id RHSA-2024:5013
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:5013
85
reference_url https://access.redhat.com/errata/RHSA-2024:6004
reference_id RHSA-2024:6004
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6004
86
reference_url https://access.redhat.com/errata/RHSA-2024:6221
reference_id RHSA-2024:6221
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6221
87
reference_url https://access.redhat.com/errata/RHSA-2024:6642
reference_id RHSA-2024:6642
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6642
88
reference_url https://access.redhat.com/errata/RHSA-2024:6811
reference_id RHSA-2024:6811
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6811
89
reference_url https://access.redhat.com/errata/RHSA-2024:8235
reference_id RHSA-2024:8235
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8235
90
reference_url https://access.redhat.com/errata/RHSA-2024:8688
reference_id RHSA-2024:8688
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8688
91
reference_url https://access.redhat.com/errata/RHSA-2024:8692
reference_id RHSA-2024:8692
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8692
92
reference_url https://access.redhat.com/errata/RHSA-2025:0536
reference_id RHSA-2025:0536
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0536
93
reference_url https://access.redhat.com/errata/RHSA-2025:0832
reference_id RHSA-2025:0832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0832
94
reference_url https://access.redhat.com/errata/RHSA-2025:15828
reference_id RHSA-2025:15828
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:15828
95
reference_url https://access.redhat.com/errata/RHSA-2025:4240
reference_id RHSA-2025:4240
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4240
96
reference_url https://usn.ubuntu.com/6886-1/
reference_id USN-6886-1
reference_type
scores
url https://usn.ubuntu.com/6886-1/
97
reference_url https://usn.ubuntu.com/7109-1/
reference_id USN-7109-1
reference_type
scores
url https://usn.ubuntu.com/7109-1/
98
reference_url https://usn.ubuntu.com/7111-1/
reference_id USN-7111-1
reference_type
scores
url https://usn.ubuntu.com/7111-1/
fixed_packages
aliases CVE-2023-45288, GHSA-4v7x-pqxf-cx7m
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-aj2b-56uj-gkar
1
url VCID-bq1t-9nnj-mkes
vulnerability_id VCID-bq1t-9nnj-mkes
summary 
Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)
### Impact
An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting.

### Patches
The problem is fixed in the following packages and versions:
- github.com/go-jose/go-jose/v4 version 4.0.1
- github.com/go-jose/go-jose/v3 version 3.0.3
- gopkg.in/go-jose/go-jose.v2 version 2.6.3

The problem will not be fixed in the following package because the package is archived:
- gopkg.in/square/go-jose.v2
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28180.json
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28180.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28180
reference_id
reference_type
scores
0
value 0.04859
scoring_system epss
scoring_elements 0.89559
published_at 2026-04-21T12:55:00Z
1
value 0.04859
scoring_system epss
scoring_elements 0.89563
published_at 2026-04-18T12:55:00Z
2
value 0.04859
scoring_system epss
scoring_elements 0.89561
published_at 2026-04-16T12:55:00Z
3
value 0.04859
scoring_system epss
scoring_elements 0.89547
published_at 2026-04-13T12:55:00Z
4
value 0.04859
scoring_system epss
scoring_elements 0.89545
published_at 2026-04-09T12:55:00Z
5
value 0.04859
scoring_system epss
scoring_elements 0.89542
published_at 2026-04-08T12:55:00Z
6
value 0.04859
scoring_system epss
scoring_elements 0.89552
published_at 2026-04-12T12:55:00Z
7
value 0.04859
scoring_system epss
scoring_elements 0.89553
published_at 2026-04-11T12:55:00Z
8
value 0.04859
scoring_system epss
scoring_elements 0.89513
published_at 2026-04-02T12:55:00Z
9
value 0.04859
scoring_system epss
scoring_elements 0.89526
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28180
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/go-jose/go-jose
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/go-jose/go-jose
5
reference_url https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
6
reference_url https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
7
reference_url https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502
8
reference_url https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY
14
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG
16
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH
18
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28180
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28180
19
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065814
reference_id 1065814
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065814
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2268854
reference_id 2268854
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2268854
21
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
reference_id GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/
22
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
reference_id I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/
23
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
reference_id IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/
24
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
reference_id JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/
25
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
reference_id KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/
26
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
reference_id MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/
27
reference_url https://access.redhat.com/errata/RHSA-2024:1456
reference_id RHSA-2024:1456
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1456
28
reference_url https://access.redhat.com/errata/RHSA-2024:1570
reference_id RHSA-2024:1570
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1570
29
reference_url https://access.redhat.com/errata/RHSA-2024:1812
reference_id RHSA-2024:1812
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1812
30
reference_url https://access.redhat.com/errata/RHSA-2024:1859
reference_id RHSA-2024:1859
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1859
31
reference_url https://access.redhat.com/errata/RHSA-2024:1946
reference_id RHSA-2024:1946
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1946
32
reference_url https://access.redhat.com/errata/RHSA-2024:2054
reference_id RHSA-2024:2054
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2054
33
reference_url https://access.redhat.com/errata/RHSA-2024:2071
reference_id RHSA-2024:2071
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2071
34
reference_url https://access.redhat.com/errata/RHSA-2024:2096
reference_id RHSA-2024:2096
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2096
35
reference_url https://access.redhat.com/errata/RHSA-2024:2549
reference_id RHSA-2024:2549
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2549
36
reference_url https://access.redhat.com/errata/RHSA-2024:2639
reference_id RHSA-2024:2639
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2639
37
reference_url https://access.redhat.com/errata/RHSA-2024:2773
reference_id RHSA-2024:2773
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2773
38
reference_url https://access.redhat.com/errata/RHSA-2024:2776
reference_id RHSA-2024:2776
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2776
39
reference_url https://access.redhat.com/errata/RHSA-2024:2865
reference_id RHSA-2024:2865
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2865
40
reference_url https://access.redhat.com/errata/RHSA-2024:2869
reference_id RHSA-2024:2869
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2869
41
reference_url https://access.redhat.com/errata/RHSA-2024:2875
reference_id RHSA-2024:2875
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2875
42
reference_url https://access.redhat.com/errata/RHSA-2024:3327
reference_id RHSA-2024:3327
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3327
43
reference_url https://access.redhat.com/errata/RHSA-2024:3349
reference_id RHSA-2024:3349
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3349
44
reference_url https://access.redhat.com/errata/RHSA-2024:3351
reference_id RHSA-2024:3351
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3351
45
reference_url https://access.redhat.com/errata/RHSA-2024:3523
reference_id RHSA-2024:3523
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3523
46
reference_url https://access.redhat.com/errata/RHSA-2024:3826
reference_id RHSA-2024:3826
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3826
47
reference_url https://access.redhat.com/errata/RHSA-2024:3827
reference_id RHSA-2024:3827
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3827
48
reference_url https://access.redhat.com/errata/RHSA-2024:3968
reference_id RHSA-2024:3968
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3968
49
reference_url https://access.redhat.com/errata/RHSA-2024:4006
reference_id RHSA-2024:4006
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4006
50
reference_url https://access.redhat.com/errata/RHSA-2024:4010
reference_id RHSA-2024:4010
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4010
51
reference_url https://access.redhat.com/errata/RHSA-2024:4041
reference_id RHSA-2024:4041
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4041
52
reference_url https://access.redhat.com/errata/RHSA-2024:4455
reference_id RHSA-2024:4455
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4455
53
reference_url https://access.redhat.com/errata/RHSA-2024:4484
reference_id RHSA-2024:4484
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4484
54
reference_url https://access.redhat.com/errata/RHSA-2024:6209
reference_id RHSA-2024:6209
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:6209
55
reference_url https://access.redhat.com/errata/RHSA-2024:7179
reference_id RHSA-2024:7179
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:7179
56
reference_url https://access.redhat.com/errata/RHSA-2024:8229
reference_id RHSA-2024:8229
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8229
57
reference_url https://access.redhat.com/errata/RHSA-2024:8235
reference_id RHSA-2024:8235
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8235
58
reference_url https://access.redhat.com/errata/RHSA-2024:8974
reference_id RHSA-2024:8974
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8974
59
reference_url https://access.redhat.com/errata/RHSA-2025:0536
reference_id RHSA-2025:0536
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:0536
60
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
reference_id UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/
61
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
reference_id UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/
62
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/
reference_id XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/
fixed_packages
aliases CVE-2024-28180, GHSA-c5q2-7r4c-mv6g
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bq1t-9nnj-mkes
2
url VCID-jwrn-5t32-3fbq
vulnerability_id VCID-jwrn-5t32-3fbq
summary 
Cosign malicious artifacts can cause machine-wide DoS
Maliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates.  

As an example, these lines demonstrate the problem:

https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70 

This `Get()` method gets the manifest of the image, allocates a slice equal to the length of the layers in the manifest, loops through the layers and adds a new signature to the slice.

The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests. 

## Remediation

Update to the latest version of Cosign, where the number of attestations, signatures and manifests has been limited to a reasonable value.

## Cosign PoC

In the case of this API (also referenced above):

https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70

… The first line can contain a length that is safe for the system and will not throw a runtime panic or be blocked by other safety mechanisms. For the sake of argument, let’s say that the length of `m, err := s.Manifest()` is the max allowed (by the machine without throwing OOM panics) manifests minus 1. When Cosign then allocates a new slice on this line: `signatures := make([]oci.Signature, 0, len(m.Layers))`, Cosign will allocate more memory than is available and the machine will be denied of service, causing Cosign and all other services on the machine to be unavailable.

To illustrate the issue here, we run a modified version of `TestSignedImageIndex()` in `pkg/oci/remote`:

https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/oci/remote/index_test.go#L31-L57

Here, `wantLayers` is the number of manifests from these lines:

https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L60

To test this, we want to make `wantLayers` high enough to not cause a memory on its own but still trigger the machine-wide OOM when a slice gets create with the same length. On my local machine, it would take hours to create a slice of layers that fulfils that criteria, so instead I modify the Cosign production code to reflect a long list of manifests:

```golang
// Get implements oci.Signatures
func (s *sigs) Get() ([]oci.Signature, error) {
        m, err := s.Manifest()
        if err != nil {
                return nil, err
        }
        // Here we imitate a long list of manifests
        ms := make([]byte, 2600000000) // imitate a long list of manifests
        signatures := make([]oci.Signature, 0, len(ms))
        panic("Done")
        //signatures := make([]oci.Signature, 0, len(m.Layers))
        for _, desc := range m.Layers {
```

With this modified code, if we can cause an OOM without triggering the `panic("Done")`, we have succeeded.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29903.json
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29903.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-29903
reference_id
reference_type
scores
0
value 0.00529
scoring_system epss
scoring_elements 0.67234
published_at 2026-04-21T12:55:00Z
1
value 0.00529
scoring_system epss
scoring_elements 0.67207
published_at 2026-04-13T12:55:00Z
2
value 0.00529
scoring_system epss
scoring_elements 0.67241
published_at 2026-04-16T12:55:00Z
3
value 0.00529
scoring_system epss
scoring_elements 0.67235
published_at 2026-04-09T12:55:00Z
4
value 0.00529
scoring_system epss
scoring_elements 0.67254
published_at 2026-04-18T12:55:00Z
5
value 0.0055
scoring_system epss
scoring_elements 0.67968
published_at 2026-04-08T12:55:00Z
6
value 0.0055
scoring_system epss
scoring_elements 0.67919
published_at 2026-04-02T12:55:00Z
7
value 0.0055
scoring_system epss
scoring_elements 0.67938
published_at 2026-04-04T12:55:00Z
8
value 0.0055
scoring_system epss
scoring_elements 0.67917
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-29903
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/sigstore/cosign
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sigstore/cosign
4
reference_url https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/
url https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955
5
reference_url https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/
url https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70
6
reference_url https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/
url https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
7
reference_url https://github.com/sigstore/cosign/releases/tag/v2.2.4
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/
url https://github.com/sigstore/cosign/releases/tag/v2.2.4
8
reference_url https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/
url https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-29903
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-29903
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2274504
reference_id 2274504
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2274504
11
reference_url https://access.redhat.com/errata/RHSA-2024:4836
reference_id RHSA-2024:4836
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4836
fixed_packages
aliases CVE-2024-29903, GHSA-95pr-fxf5-86gv
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jwrn-5t32-3fbq
3
url VCID-q1ze-sun1-xkah
vulnerability_id VCID-q1ze-sun1-xkah
summary 
Cosign malicious attachments can cause system-wide denial of service
### Summary
A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial.

### Details
The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a `SIGKILL` after a few seconds of system-wide denial.

The root cause is that Cosign reads the contents of the attachments entirely into memory on line 238 below:

https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239

...and prior to that, neither Cosign nor go-containerregistry checks the size of the attachment and enforces a max cap. In the case of a remote layer of `f *attached`, go-containerregistry will invoke this API:

https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40
```golang
func (rl *remoteLayer) Compressed() (io.ReadCloser, error) {
	// We don't want to log binary layers -- this can break terminals.
	ctx := redact.NewContext(rl.ctx, "omitting binary blobs from logs")
	return rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)
}
```

Notice that the second argument to `rl.fetcher.fetchBlob` is `verify.SizeUnknown` which results in not using the `io.LimitReader` in `verify.ReadCloser`:
https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100
```golang
func ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {
	w, err := v1.Hasher(h.Algorithm)
	if err != nil {
		return nil, err
	}
	r2 := io.TeeReader(r, w) // pass all writes to the hasher.
	if size != SizeUnknown {
		r2 = io.LimitReader(r2, size) // if we know the size, limit to that size.
	}
	return &and.ReadCloser{
		Reader: &verifyReader{
			inner:    r2,
			hasher:   w,
			expected: h,
			wantSize: size,
		},
		CloseFunc: r.Close,
	}, nil
}
```

### Impact
This issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer. 

### Remediation
Update to the latest version of Cosign, which limits the number of attachments. An environment variable can override this value.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29902.json
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29902.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-29902
reference_id
reference_type
scores
0
value 0.0021
scoring_system epss
scoring_elements 0.43362
published_at 2026-04-21T12:55:00Z
1
value 0.0021
scoring_system epss
scoring_elements 0.43377
published_at 2026-04-02T12:55:00Z
2
value 0.0021
scoring_system epss
scoring_elements 0.43405
published_at 2026-04-04T12:55:00Z
3
value 0.0021
scoring_system epss
scoring_elements 0.43428
published_at 2026-04-18T12:55:00Z
4
value 0.0021
scoring_system epss
scoring_elements 0.43439
published_at 2026-04-16T12:55:00Z
5
value 0.0021
scoring_system epss
scoring_elements 0.4338
published_at 2026-04-13T12:55:00Z
6
value 0.0021
scoring_system epss
scoring_elements 0.43395
published_at 2026-04-12T12:55:00Z
7
value 0.0021
scoring_system epss
scoring_elements 0.43426
published_at 2026-04-11T12:55:00Z
8
value 0.0021
scoring_system epss
scoring_elements 0.43407
published_at 2026-04-09T12:55:00Z
9
value 0.0021
scoring_system epss
scoring_elements 0.43343
published_at 2026-04-07T12:55:00Z
10
value 0.0021
scoring_system epss
scoring_elements 0.43393
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-29902
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/
url https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40
4
reference_url https://github.com/sigstore/cosign
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sigstore/cosign
5
reference_url https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/
url https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239
6
reference_url https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/
url https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
7
reference_url https://github.com/sigstore/cosign/releases/tag/v2.2.4
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/
url https://github.com/sigstore/cosign/releases/tag/v2.2.4
8
reference_url https://github.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/
url https://github.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-29902
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-29902
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2274508
reference_id 2274508
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2274508
11
reference_url https://access.redhat.com/errata/RHSA-2024:4836
reference_id RHSA-2024:4836
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4836
fixed_packages
aliases CVE-2024-29902, GHSA-88jx-383q-w4qc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q1ze-sun1-xkah
4
url VCID-sajm-cnn5-jqac
vulnerability_id VCID-sajm-cnn5-jqac
summary 
Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials
### Impact
_What kind of vulnerability is it? Who is impacted?_
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.

The relevant code is [here](https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110) (also inline, emphasis added):

<pre>if p.Client == nil {
  p.Client = **http.DefaultClient**
}

if p.roundTripper != nil {
  p.Client.**Transport = p.roundTripper**
}
</pre>

When the transport is populated with an authenticated transport such as:
- [oauth2.Transport](https://pkg.go.dev/golang.org/x/oauth2#Transport)
- [idtoken.NewClient(...).Transport](https://pkg.go.dev/google.golang.org/api/idtoken#NewClient)

... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
**any endpoint** it is used to contact!

Found and patched by: @tcnghia and @mattmoor

### Patches
v.2.15.2
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28110.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28110.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28110
reference_id
reference_type
scores
0
value 0.00137
scoring_system epss
scoring_elements 0.33408
published_at 2026-04-21T12:55:00Z
1
value 0.00137
scoring_system epss
scoring_elements 0.33439
published_at 2026-04-18T12:55:00Z
2
value 0.00137
scoring_system epss
scoring_elements 0.33464
published_at 2026-04-16T12:55:00Z
3
value 0.00137
scoring_system epss
scoring_elements 0.33455
published_at 2026-04-08T12:55:00Z
4
value 0.00137
scoring_system epss
scoring_elements 0.33539
published_at 2026-04-02T12:55:00Z
5
value 0.00137
scoring_system epss
scoring_elements 0.33572
published_at 2026-04-04T12:55:00Z
6
value 0.00137
scoring_system epss
scoring_elements 0.33412
published_at 2026-04-07T12:55:00Z
7
value 0.00137
scoring_system epss
scoring_elements 0.3349
published_at 2026-04-09T12:55:00Z
8
value 0.00137
scoring_system epss
scoring_elements 0.33428
published_at 2026-04-13T12:55:00Z
9
value 0.00137
scoring_system epss
scoring_elements 0.33452
published_at 2026-04-12T12:55:00Z
10
value 0.00137
scoring_system epss
scoring_elements 0.33493
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28110
2
reference_url https://github.com/cloudevents/sdk-go
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/cloudevents/sdk-go
3
reference_url https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/
url https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110
4
reference_url https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/
url https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851
5
reference_url https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/
url https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2268372
reference_id 2268372
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2268372
7
reference_url https://access.redhat.com/errata/RHSA-2024:0040
reference_id RHSA-2024:0040
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0040
8
reference_url https://access.redhat.com/errata/RHSA-2024:1333
reference_id RHSA-2024:1333
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1333
fixed_packages
aliases CVE-2024-28110, GHSA-5pf6-2qwx-pxm2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sajm-cnn5-jqac
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift-pipelines-client@1.15.0-11496%3Farch=el8