Search for packages
| purl | pkg:rpm/redhat/ceph@2:18.2.1-381?arch=el8cp |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18bk-met9-qfc9
Aliases: CVE-2024-31884 |
pybind: Improper use of Pybind | There are no reported fixed by versions. |
|
VCID-1yz5-m9s7-nqdm
Aliases: CVE-2024-47866 |
rgw: RGW DoS attack with empty HTTP header in S3 object copy | There are no reported fixed by versions. |
|
VCID-864e-hkby-qfh6
Aliases: CVE-2021-23358 GHSA-cf4h-3jhx-xvhq |
Arbitrary Code Execution in underscore The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized. | There are no reported fixed by versions. |
|
VCID-h8nr-tcb7-93em
Aliases: CVE-2024-11831 GHSA-76p7-773f-r4q5 |
Cross-site Scripting (XSS) in serialize-javascript A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | There are no reported fixed by versions. |
|
VCID-hay4-q9m3-ekdj
Aliases: CVE-2025-61729 |
crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate | There are no reported fixed by versions. |
|
VCID-qb4z-jzem-myee
Aliases: CVE-2022-34749 GHSA-fw3v-x4f2-v673 PYSEC-2022-237 |
In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking. | There are no reported fixed by versions. |
|
VCID-qp47-aewx-wufh
Aliases: CVE-2024-51744 GHSA-29wx-vh33-7x7r |
Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations ### Summary Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. ### Fix We have back-ported the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. ### Workaround We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above. ```Go token, err := /* jwt.Parse or similar */ if token.Valid { fmt.Println("You look nice today") } else if errors.Is(err, jwt.ErrTokenMalformed) { fmt.Println("That's not even a token") } else if errors.Is(err, jwt.ErrTokenUnverifiable) { fmt.Println("We could not verify this token") } else if errors.Is(err, jwt.ErrTokenSignatureInvalid) { fmt.Println("This token has an invalid signature") } else if errors.Is(err, jwt.ErrTokenExpired) || errors.Is(err, jwt.ErrTokenNotValidYet) { // Token is either expired or not active yet fmt.Println("Timing is everything") } else { fmt.Println("Couldn't handle this token:", err) } ``` | There are no reported fixed by versions. |
|
VCID-r1ah-c6z7-vyen
Aliases: CVE-2025-52555 |
ceph: privilege escalation by unprivileged users in a ceph-fuse mounted CephFS | There are no reported fixed by versions. |
|
VCID-s6f3-3mxh-ekfr
Aliases: CVE-2024-55565 GHSA-mwcw-c2x4-8c55 |
Predictable results in nanoid generation when given non-integer values When nanoid is called with a fractional value, there were a number of undesirable effects: 1. in browser and non-secure, the code infinite loops on while (size--) 2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled 3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error Version 3.3.8 and 5.0.9 are fixed. | There are no reported fixed by versions. |
|
VCID-sty6-gwh1-hbcy
Aliases: CVE-2025-47913 |
golang.org/x/crypto/ssh/agent: golang.org/x/crypto/ssh/agent: SSH client panic due to unexpected SSH_AGENT_SUCCESS | There are no reported fixed by versions. |
|
VCID-vzq7-t235-ukd5
Aliases: CVE-2025-26791 GHSA-vhxf-7vqr-mrjg |
DOMPurify allows Cross-site Scripting (XSS) DOMPurify before 3.2.4 has an incorrect template literal regular expression when SAFE_FOR_TEMPLATES is set to true, sometimes leading to mutation cross-site scripting (mXSS). | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||