VulnerableCode Package Details - pkg:rpm/redhat/servicemesh-prometheus@2.14.0-14?arch=el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-37zk-9fax-v7e1 Aliases: CVE-2020-9283 GHSA-ffhg-7mh4-33c4	Improper Verification of Cryptographic Signature in golang.org/x/crypto golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.	There are no reported fixed by versions.
VCID-44qf-p2rd-6qay Aliases: CVE-2020-8203 GHSA-p6mc-m468-83gw	Prototype Pollution in lodash Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays. This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.	There are no reported fixed by versions.
VCID-cvxp-ctj9-guej Aliases: CVE-2020-11023 GHSA-jpcq-cgw6-v4j6	Potential XSS vulnerability in jQuery ### Impact Passing HTML containing `<option>` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround this issue without upgrading, use [DOMPurify](https://github.com/cure53/DOMPurify) with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.	There are no reported fixed by versions.
VCID-n82z-sfd6-x3af Aliases: CVE-2020-14040 GHSA-5rcv-m4m3-hfh7	golang.org/x/text Infinite loop Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. ### Specific Go Packages Affected golang.org/x/text/encoding/unicode golang.org/x/text/transform	There are no reported fixed by versions.
VCID-sx44-1d9e-bban Aliases: CVE-2020-12666 GHSA-733f-44f3-3frw	gopkg.in/macaron.v1 Open Redirect vulnerability macaron before 1.3.7 has an open redirect in the static handler. Due to improper request santization, a specifically crafted URL can cause the static file handler to redirect to an attacker chosen URL, allowing for open redirect attacks.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-37zk-9fax-v7e1
Aliases:
CVE-2020-9283
GHSA-ffhg-7mh4-33c4

Improper Verification of Cryptographic Signature in golang.org/x/crypto golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975 for Go allows a panic during signature verification in the golang.org/x/crypto/ssh package. A client can attack an SSH server that accepts public keys. Also, a server can attack any SSH client.