VulnerableCode Package Details - pkg:rpm/redhat/podman@4:4.9.4-10?arch=el9

Search for packages

Vulnerability	Summary	Fixed by
VCID-4psv-cefc-7kad Aliases: CVE-2024-24783	Multiple vulnerabilities have been discovered in Go, the worst of which could lead to information leakage or a denial of service.	There are no reported fixed by versions.
VCID-fcfw-7u4r-ebf8 Aliases: CVE-2024-37298 GHSA-3669-72x9-r9p3	Potential memory exhaustion attack due to sparse slice deserialization ### Details Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice. In the local environment environment for my project, I was able to call an endpoint like `/innocent_endpoint?arr.10000000.X=1` and freeze my system from the memory allocation while parsing `r.Form`. I think [this line](https://github.com/gorilla/schema/blob/main/decoder.go#L223) is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess. ### Proof of Concept The following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions. ```go package main import ( "fmt" "github.com/gorilla/schema" ) func main() { dec := schema.NewDecoder() var result struct { Arr []struct{ Val int } } if err := dec.Decode(&result, map[string][]string{"arr.1000000000.Val": {"1"}}); err != nil { panic(err) } fmt.Printf("%#+v\n", result) } ``` ### Impact Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. There seems to be no possible solution that a developer using this library can do to disable this behaviour without fixing it in this project, so all uses of Decode that fall under this umbrella are affected. A fix that doesn't require a major change may also be harder to find, since it could break compatibility with some other intended use-cases.	There are no reported fixed by versions.
VCID-k54u-rbhx-bbbu Aliases: CVE-2024-6104 GHSA-v6v8-xj6m-xwqh	go-retryablehttp can leak basic auth credentials to log files go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-4psv-cefc-7kad
Aliases:
CVE-2024-24783

Multiple vulnerabilities have been discovered in Go, the worst of which could lead to information leakage or a denial of service.

There are no reported fixed by versions.

VCID-fcfw-7u4r-ebf8
Aliases:
CVE-2024-37298
GHSA-3669-72x9-r9p3

Potential memory exhaustion attack due to sparse slice deserialization ### Details Running `schema.Decoder.Decode()` on a struct that has a field of type `[]struct{...}` opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. For instance, in the Proof of Concept written below, someone can specify to set a field of the billionth element and it will allocate all other elements before it in the slice. In the local environment environment for my project, I was able to call an endpoint like `/innocent_endpoint?arr.10000000.X=1` and freeze my system from the memory allocation while parsing `r.Form`. I think [this line](https://github.com/gorilla/schema/blob/main/decoder.go#L223) is responsible for allocating the slice, although I haven't tested to make sure, so it's just an educated guess. ### Proof of Concept The following proof of concept works on both v1.2.0 and v1.2.1. I have not tested earlier versions. ```go package main import ( "fmt" "github.com/gorilla/schema" ) func main() { dec := schema.NewDecoder() var result struct { Arr []struct{ Val int } } if err := dec.Decode(&result, map[string][]string{"arr.1000000000.Val": {"1"}}); err != nil { panic(err) } fmt.Printf("%#+v\n", result) } ``` ### Impact Any use of `schema.Decoder.Decode()` on a struct with arrays of other structs could be vulnerable to this memory exhaustion vulnerability. There seems to be no possible solution that a developer using this library can do to disable this behaviour without fixing it in this project, so all uses of Decode that fall under this umbrella are affected. A fix that doesn't require a major change may also be harder to find, since it could break compatibility with some other intended use-cases.

There are no reported fixed by versions.

VCID-k54u-rbhx-bbbu
Aliases:
CVE-2024-6104
GHSA-v6v8-xj6m-xwqh

go-retryablehttp can leak basic auth credentials to log files go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:49:20.237376+00:00	RedHat Importer	Affected by	VCID-4psv-cefc-7kad	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-24783.json	38.0.0
2026-04-01T13:46:37.827195+00:00	RedHat Importer	Affected by	VCID-k54u-rbhx-bbbu	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6104.json	38.0.0
2026-04-01T13:46:34.670162+00:00	RedHat Importer	Affected by	VCID-fcfw-7u4r-ebf8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-37298.json	38.0.0