{"url":"http://public2.vulnerablecode.io/api/packages/93549?format=json","purl":"pkg:rpm/redhat/openshift-pipelines-client@1.15.0-11496?arch=el8","type":"rpm","namespace":"redhat","name":"openshift-pipelines-client","version":"1.15.0-11496","qualifiers":{"arch":"el8"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12589?format=json","vulnerability_id":"VCID-aj2b-56uj-gkar","summary":"net/http, x/net/http2: close connections when receiving too many headers\nAn attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45288.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-45288.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45288","reference_id":"","reference_type":"","scores":[{"value":"0.66635","scoring_system":"epss","scoring_elements":"0.98548","published_at":"2026-04-29T12:55:00Z"},{"value":"0.69905","scoring_system":"epss","scoring_elements":"0.98688","published_at":"2026-05-12T12:55:00Z"},{"value":"0.69905","scoring_system":"epss","scoring_elements":"0.98687","published_at":"2026-05-11T12:55:00Z"},{"value":"0.69905","scoring_system":"epss","scoring_elements":"0.98686","published_at":"2026-05-09T12:55:00Z"},{"value":"0.69905","scoring_system":"epss","scoring_elements":"0.98685","published_at":"2026-05-07T12:55:00Z"},{"value":"0.69905","scoring_system":"epss","scoring_elements":"0.98683","published_at":"2026-05-05T12:55:00Z"},{"value":"0.69905","scoring_system":"epss","scoring_elements":"0.9869","published_at":"2026-05-14T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98726","published_at":"2026-04-13T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98725","published_at":"2026-04-11T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98722","published_at":"2026-04-09T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98723","published_at":"2026-04-08T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98746","published_at":"2026-05-16T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98715","published_at":"2026-04-02T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98748","published_at":"2026-05-15T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98719","published_at":"2026-04-04T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98734","published_at":"2026-04-24T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.9873","published_at":"2026-04-21T12:55:00Z"},{"value":"0.71463","scoring_system":"epss","scoring_elements":"0.98729","published_at":"2026-04-16T12:55:00Z"},{"value":"0.76542","scoring_system":"epss","scoring_elements":"0.9895","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-45288"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45288"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://go.dev/cl/576155","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/"}],"url":"https://go.dev/cl/576155"},{"reference_url":"https://go.dev/issue/65051","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/"}],"url":"https://go.dev/issue/65051"},{"reference_url":"https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/"}],"url":"https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT"},{"reference_url":"https://nowotarski.info/http2-continuation-flood-technical-details","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nowotarski.info/http2-continuation-flood-technical-details"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45288","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-45288"},{"reference_url":"https://pkg.go.dev/vuln/GO-2024-2687","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/"}],"url":"https://pkg.go.dev/vuln/GO-2024-2687"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240419-0009","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240419-0009"},{"reference_url":"https://www.kb.cert.org/vuls/id/421644","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.kb.cert.org/vuls/id/421644"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/04/03/16","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/04/03/16"},{"reference_url":"http://www.openwall.com/lists/oss-security/2024/04/05/4","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/"}],"url":"http://www.openwall.com/lists/oss-security/2024/04/05/4"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2268273","reference_id":"2268273","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2268273"},{"reference_url":"https://security.gentoo.org/glsa/202408-07","reference_id":"GLSA-202408-07","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202408-07"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240419-0009/","reference_id":"ntap-20240419-0009","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240419-0009/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/","reference_id":"QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-04-05T17:08:42Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1616","reference_id":"RHSA-2024:1616","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1616"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1668","reference_id":"RHSA-2024:1668","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1668"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1679","reference_id":"RHSA-2024:1679","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1679"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1681","reference_id":"RHSA-2024:1681","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1681"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1683","reference_id":"RHSA-2024:1683","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1683"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1892","reference_id":"RHSA-2024:1892","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1892"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1899","reference_id":"RHSA-2024:1899","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1899"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1962","reference_id":"RHSA-2024:1962","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1962"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1963","reference_id":"RHSA-2024:1963","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1963"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2060","reference_id":"RHSA-2024:2060","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2060"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2062","reference_id":"RHSA-2024:2062","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2062"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2068","reference_id":"RHSA-2024:2068","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2068"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2079","reference_id":"RHSA-2024:2079","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2079"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2625","reference_id":"RHSA-2024:2625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2625"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2664","reference_id":"RHSA-2024:2664","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2664"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2667","reference_id":"RHSA-2024:2667","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2667"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2668","reference_id":"RHSA-2024:2668","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2668"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2671","reference_id":"RHSA-2024:2671","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2671"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2699","reference_id":"RHSA-2024:2699","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2699"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2724","reference_id":"RHSA-2024:2724","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2724"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2728","reference_id":"RHSA-2024:2728","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2728"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2773","reference_id":"RHSA-2024:2773","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2773"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2865","reference_id":"RHSA-2024:2865","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2865"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2875","reference_id":"RHSA-2024:2875","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2875"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2892","reference_id":"RHSA-2024:2892","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2892"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2901","reference_id":"RHSA-2024:2901","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2901"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2929","reference_id":"RHSA-2024:2929","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2929"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2930","reference_id":"RHSA-2024:2930","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2930"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2932","reference_id":"RHSA-2024:2932","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2932"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2933","reference_id":"RHSA-2024:2933","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2933"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2935","reference_id":"RHSA-2024:2935","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2935"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2936","reference_id":"RHSA-2024:2936","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2936"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2941","reference_id":"RHSA-2024:2941","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2941"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3259","reference_id":"RHSA-2024:3259","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3259"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3314","reference_id":"RHSA-2024:3314","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3314"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3315","reference_id":"RHSA-2024:3315","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3315"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3316","reference_id":"RHSA-2024:3316","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3316"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3327","reference_id":"RHSA-2024:3327","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3327"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3331","reference_id":"RHSA-2024:3331","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3331"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3346","reference_id":"RHSA-2024:3346","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3346"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3467","reference_id":"RHSA-2024:3467","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3467"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3479","reference_id":"RHSA-2024:3479","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3479"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3523","reference_id":"RHSA-2024:3523","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3523"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3621","reference_id":"RHSA-2024:3621","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3621"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3637","reference_id":"RHSA-2024:3637","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3637"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3680","reference_id":"RHSA-2024:3680","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3680"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3781","reference_id":"RHSA-2024:3781","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3781"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3885","reference_id":"RHSA-2024:3885","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3885"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3889","reference_id":"RHSA-2024:3889","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3889"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4006","reference_id":"RHSA-2024:4006","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4006"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4010","reference_id":"RHSA-2024:4010","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4010"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4023","reference_id":"RHSA-2024:4023","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4023"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4034","reference_id":"RHSA-2024:4034","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4034"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4041","reference_id":"RHSA-2024:4041","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4041"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4125","reference_id":"RHSA-2024:4125","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4125"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4464","reference_id":"RHSA-2024:4464","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4464"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4484","reference_id":"RHSA-2024:4484","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4484"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4543","reference_id":"RHSA-2024:4543","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4543"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4545","reference_id":"RHSA-2024:4545","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4545"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4546","reference_id":"RHSA-2024:4546","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4546"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4631","reference_id":"RHSA-2024:4631","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4631"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4677","reference_id":"RHSA-2024:4677","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4677"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4933","reference_id":"RHSA-2024:4933","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4933"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4934","reference_id":"RHSA-2024:4934","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4934"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4982","reference_id":"RHSA-2024:4982","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4982"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:5013","reference_id":"RHSA-2024:5013","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:5013"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6004","reference_id":"RHSA-2024:6004","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6004"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6221","reference_id":"RHSA-2024:6221","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6221"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6642","reference_id":"RHSA-2024:6642","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6642"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6811","reference_id":"RHSA-2024:6811","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6811"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8235","reference_id":"RHSA-2024:8235","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8235"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8688","reference_id":"RHSA-2024:8688","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8688"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8692","reference_id":"RHSA-2024:8692","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8692"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0536","reference_id":"RHSA-2025:0536","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0536"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0832","reference_id":"RHSA-2025:0832","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0832"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:15828","reference_id":"RHSA-2025:15828","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:15828"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:4240","reference_id":"RHSA-2025:4240","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:4240"},{"reference_url":"https://usn.ubuntu.com/6886-1/","reference_id":"USN-6886-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6886-1/"},{"reference_url":"https://usn.ubuntu.com/7109-1/","reference_id":"USN-7109-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7109-1/"},{"reference_url":"https://usn.ubuntu.com/7111-1/","reference_id":"USN-7111-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7111-1/"}],"fixed_packages":[],"aliases":["CVE-2023-45288","GHSA-4v7x-pqxf-cx7m"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aj2b-56uj-gkar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16667?format=json","vulnerability_id":"VCID-bq1t-9nnj-mkes","summary":"Go JOSE vulnerable to Improper Handling of Highly Compressed Data (Data Amplification)\n### Impact\nAn attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). Thanks to Enze Wang@Alioth and Jianjun Chen@Zhongguancun Lab (@zer0yu and @chenjj) for reporting.\n\n### Patches\nThe problem is fixed in the following packages and versions:\n- github.com/go-jose/go-jose/v4 version 4.0.1\n- github.com/go-jose/go-jose/v3 version 3.0.3\n- gopkg.in/go-jose/go-jose.v2 version 2.6.3\n\nThe problem will not be fixed in the following package because the package is archived:\n- gopkg.in/square/go-jose.v2","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28180.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28180.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28180","reference_id":"","reference_type":"","scores":[{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89651","published_at":"2026-05-16T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89652","published_at":"2026-05-15T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89641","published_at":"2026-05-14T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89621","published_at":"2026-05-12T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89513","published_at":"2026-04-02T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89612","published_at":"2026-05-11T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89615","published_at":"2026-05-09T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89602","published_at":"2026-05-07T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89584","published_at":"2026-05-05T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89577","published_at":"2026-04-29T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89573","published_at":"2026-04-24T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89559","published_at":"2026-04-21T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89563","published_at":"2026-04-18T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89561","published_at":"2026-04-16T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89547","published_at":"2026-04-13T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89552","published_at":"2026-04-12T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89553","published_at":"2026-04-11T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89545","published_at":"2026-04-09T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89542","published_at":"2026-04-08T12:55:00Z"},{"value":"0.04859","scoring_system":"epss","scoring_elements":"0.89526","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28180"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/go-jose/go-jose","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/go-jose/go-jose"},{"reference_url":"https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298"},{"reference_url":"https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a"},{"reference_url":"https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://github.com/go-jose/go-jose/commit/f4c051a0653d78199a053892f7619ebf96339502"},{"reference_url":"https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28180","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28180"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065814","reference_id":"1065814","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065814"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2268854","reference_id":"2268854","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2268854"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/","reference_id":"GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD2GSBQTBLYADASUBHHZV2CZPTSLIPQJ/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/","reference_id":"I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6MMWFBOXJA6ZCXNVPDFJ4XMK5PVG5RG/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/","reference_id":"IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJ6LAJJ2FTA2JVVOACCV5RZTOIZLXUNJ/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/","reference_id":"JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JNPMXL36YGS3GQEVI3Q5HKHJ7YAAQXL5/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/","reference_id":"KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KXKGNCRU7OTM5AHC7YIYBNOWI742PRMY/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/","reference_id":"MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MSOMHDKRPU3A2JEMRODT2IREDFBLVPGS/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1456","reference_id":"RHSA-2024:1456","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1456"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1570","reference_id":"RHSA-2024:1570","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1570"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1812","reference_id":"RHSA-2024:1812","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1812"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1859","reference_id":"RHSA-2024:1859","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1859"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1946","reference_id":"RHSA-2024:1946","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1946"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2054","reference_id":"RHSA-2024:2054","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2054"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2071","reference_id":"RHSA-2024:2071","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2071"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2096","reference_id":"RHSA-2024:2096","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2096"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2549","reference_id":"RHSA-2024:2549","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2549"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2639","reference_id":"RHSA-2024:2639","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2639"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2773","reference_id":"RHSA-2024:2773","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2773"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2776","reference_id":"RHSA-2024:2776","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2776"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2865","reference_id":"RHSA-2024:2865","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2865"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2869","reference_id":"RHSA-2024:2869","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2869"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:2875","reference_id":"RHSA-2024:2875","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:2875"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3327","reference_id":"RHSA-2024:3327","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3327"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3349","reference_id":"RHSA-2024:3349","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3349"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3351","reference_id":"RHSA-2024:3351","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3351"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3523","reference_id":"RHSA-2024:3523","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3523"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3826","reference_id":"RHSA-2024:3826","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3826"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3827","reference_id":"RHSA-2024:3827","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3827"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:3968","reference_id":"RHSA-2024:3968","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:3968"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4006","reference_id":"RHSA-2024:4006","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4006"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4010","reference_id":"RHSA-2024:4010","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4010"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4041","reference_id":"RHSA-2024:4041","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4041"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4455","reference_id":"RHSA-2024:4455","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4455"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4484","reference_id":"RHSA-2024:4484","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4484"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:6209","reference_id":"RHSA-2024:6209","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:6209"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:7179","reference_id":"RHSA-2024:7179","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:7179"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8229","reference_id":"RHSA-2024:8229","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8229"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8235","reference_id":"RHSA-2024:8235","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8235"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:8974","reference_id":"RHSA-2024:8974","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:8974"},{"reference_url":"https://access.redhat.com/errata/RHSA-2025:0536","reference_id":"RHSA-2025:0536","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2025:0536"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/","reference_id":"UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UG5FSEYJ3GP27FZXC5YAAMMEC5XWKJHG/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/","reference_id":"UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJO2U5ACZVACNQXJ5EBRFLFW6DP5BROY/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/","reference_id":"XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-03-11T15:08:38Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XJDO5VSIAOGT2WP63AXAAWNRSVJCNCRH/"}],"fixed_packages":[],"aliases":["CVE-2024-28180","GHSA-c5q2-7r4c-mv6g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bq1t-9nnj-mkes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12632?format=json","vulnerability_id":"VCID-jwrn-5t32-3fbq","summary":"Cosign malicious artifacts can cause machine-wide DoS\nMaliciously-crafted software artifacts can cause denial of service of the machine running Cosign, thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates.  \n\nAs an example, these lines demonstrate the problem:\n\nhttps://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70 \n\nThis `Get()` method gets the manifest of the image, allocates a slice equal to the length of the layers in the manifest, loops through the layers and adds a new signature to the slice.\n\nThe exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests. \n\n## Remediation\n\nUpdate to the latest version of Cosign, where the number of attestations, signatures and manifests has been limited to a reasonable value.\n\n## Cosign PoC\n\nIn the case of this API (also referenced above):\n\nhttps://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70\n\n… The first line can contain a length that is safe for the system and will not throw a runtime panic or be blocked by other safety mechanisms. For the sake of argument, let’s say that the length of `m, err := s.Manifest()` is the max allowed (by the machine without throwing OOM panics) manifests minus 1. When Cosign then allocates a new slice on this line: `signatures := make([]oci.Signature, 0, len(m.Layers))`, Cosign will allocate more memory than is available and the machine will be denied of service, causing Cosign and all other services on the machine to be unavailable.\n\nTo illustrate the issue here, we run a modified version of `TestSignedImageIndex()` in `pkg/oci/remote`:\n\nhttps://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/oci/remote/index_test.go#L31-L57\n\nHere, `wantLayers` is the number of manifests from these lines:\n\nhttps://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L60\n\nTo test this, we want to make `wantLayers` high enough to not cause a memory on its own but still trigger the machine-wide OOM when a slice gets create with the same length. On my local machine, it would take hours to create a slice of layers that fulfils that criteria, so instead I modify the Cosign production code to reflect a long list of manifests:\n\n```golang\n// Get implements oci.Signatures\nfunc (s *sigs) Get() ([]oci.Signature, error) {\n        m, err := s.Manifest()\n        if err != nil {\n                return nil, err\n        }\n        // Here we imitate a long list of manifests\n        ms := make([]byte, 2600000000) // imitate a long list of manifests\n        signatures := make([]oci.Signature, 0, len(ms))\n        panic(\"Done\")\n        //signatures := make([]oci.Signature, 0, len(m.Layers))\n        for _, desc := range m.Layers {\n```\n\nWith this modified code, if we can cause an OOM without triggering the `panic(\"Done\")`, we have succeeded.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29903.json","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29903.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29903","reference_id":"","reference_type":"","scores":[{"value":"0.00529","scoring_system":"epss","scoring_elements":"0.67235","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00529","scoring_system":"epss","scoring_elements":"0.67254","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00529","scoring_system":"epss","scoring_elements":"0.67265","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00529","scoring_system":"epss","scoring_elements":"0.67241","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00529","scoring_system":"epss","scoring_elements":"0.67207","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00529","scoring_system":"epss","scoring_elements":"0.67234","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0055","scoring_system":"epss","scoring_elements":"0.67938","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0055","scoring_system":"epss","scoring_elements":"0.67968","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0055","scoring_system":"epss","scoring_elements":"0.67917","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0055","scoring_system":"epss","scoring_elements":"0.67919","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72517","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72479","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72506","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72562","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72569","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72579","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72462","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.7247","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00717","scoring_system":"epss","scoring_elements":"0.72492","published_at":"2026-05-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29903"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/sigstore/cosign","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sigstore/cosign"},{"reference_url":"https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/"}],"url":"https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955"},{"reference_url":"https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/"}],"url":"https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70"},{"reference_url":"https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/"}],"url":"https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e"},{"reference_url":"https://github.com/sigstore/cosign/releases/tag/v2.2.4","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/"}],"url":"https://github.com/sigstore/cosign/releases/tag/v2.2.4"},{"reference_url":"https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T15:22:56Z/"}],"url":"https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29903","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29903"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274504","reference_id":"2274504","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274504"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4836","reference_id":"RHSA-2024:4836","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4836"}],"fixed_packages":[],"aliases":["CVE-2024-29903","GHSA-95pr-fxf5-86gv"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jwrn-5t32-3fbq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12783?format=json","vulnerability_id":"VCID-q1ze-sun1-xkah","summary":"Cosign malicious attachments can cause system-wide denial of service\n### Summary\nA remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial.\n\n### Details\nThe root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. As such, a large attachment can make Cosign read a large attachment into memory; If the attachments size is larger than the machine has memory available, the machine will be denied of service. The Go runtime will make a `SIGKILL` after a few seconds of system-wide denial.\n\nThe root cause is that Cosign reads the contents of the attachments entirely into memory on line 238 below:\n\nhttps://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239\n\n...and prior to that, neither Cosign nor go-containerregistry checks the size of the attachment and enforces a max cap. In the case of a remote layer of `f *attached`, go-containerregistry will invoke this API:\n\nhttps://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40\n```golang\nfunc (rl *remoteLayer) Compressed() (io.ReadCloser, error) {\n\t// We don't want to log binary layers -- this can break terminals.\n\tctx := redact.NewContext(rl.ctx, \"omitting binary blobs from logs\")\n\treturn rl.fetcher.fetchBlob(ctx, verify.SizeUnknown, rl.digest)\n}\n```\n\nNotice that the second argument to `rl.fetcher.fetchBlob` is `verify.SizeUnknown` which results in not using the `io.LimitReader` in `verify.ReadCloser`:\nhttps://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/internal/verify/verify.go#L82-L100\n```golang\nfunc ReadCloser(r io.ReadCloser, size int64, h v1.Hash) (io.ReadCloser, error) {\n\tw, err := v1.Hasher(h.Algorithm)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tr2 := io.TeeReader(r, w) // pass all writes to the hasher.\n\tif size != SizeUnknown {\n\t\tr2 = io.LimitReader(r2, size) // if we know the size, limit to that size.\n\t}\n\treturn &and.ReadCloser{\n\t\tReader: &verifyReader{\n\t\t\tinner:    r2,\n\t\t\thasher:   w,\n\t\t\texpected: h,\n\t\t\twantSize: size,\n\t\t},\n\t\tCloseFunc: r.Close,\n\t}, nil\n}\n```\n\n### Impact\nThis issue can allow a supply-chain escalation from a compromised registry to the Cosign user: If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer. \n\n### Remediation\nUpdate to the latest version of Cosign, which limits the number of attachments. An environment variable can override this value.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29902.json","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-29902.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29902","reference_id":"","reference_type":"","scores":[{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43262","published_at":"2026-05-16T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43405","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43343","published_at":"2026-04-07T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43393","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43407","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43426","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43395","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.4338","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43439","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43428","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43362","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43292","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43294","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43216","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43086","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43162","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43178","published_at":"2026-05-09T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43118","published_at":"2026-05-11T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43148","published_at":"2026-05-12T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43211","published_at":"2026-05-14T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43231","published_at":"2026-05-15T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43377","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-29902"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/"}],"url":"https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40"},{"reference_url":"https://github.com/sigstore/cosign","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/sigstore/cosign"},{"reference_url":"https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/"}],"url":"https://github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go#L228-L239"},{"reference_url":"https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/"}],"url":"https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e"},{"reference_url":"https://github.com/sigstore/cosign/releases/tag/v2.2.4","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/"}],"url":"https://github.com/sigstore/cosign/releases/tag/v2.2.4"},{"reference_url":"https://github.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-03T14:13:43Z/"}],"url":"https://github.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29902","reference_id":"","reference_type":"","scores":[{"value":"4.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29902"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274508","reference_id":"2274508","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2274508"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:4836","reference_id":"RHSA-2024:4836","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:4836"}],"fixed_packages":[],"aliases":["CVE-2024-29902","GHSA-88jx-383q-w4qc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q1ze-sun1-xkah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16720?format=json","vulnerability_id":"VCID-sajm-cnn5-jqac","summary":"Go SDK for CloudEvents's use of WithRoundTripper to create a Client leaks credentials\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nUsing cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.\n\nThe relevant code is [here](https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110) (also inline, emphasis added):\n\n<pre>if p.Client == nil {\n  p.Client = **http.DefaultClient**\n}\n\nif p.roundTripper != nil {\n  p.Client.**Transport = p.roundTripper**\n}\n</pre>\n\nWhen the transport is populated with an authenticated transport such as:\n- [oauth2.Transport](https://pkg.go.dev/golang.org/x/oauth2#Transport)\n- [idtoken.NewClient(...).Transport](https://pkg.go.dev/google.golang.org/api/idtoken#NewClient)\n\n... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to\n**any endpoint** it is used to contact!\n\nFound and patched by: @tcnghia and @mattmoor\n\n### Patches\nv.2.15.2","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28110.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28110.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28110","reference_id":"","reference_type":"","scores":[{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33199","published_at":"2026-05-16T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33408","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33252","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33235","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33156","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33042","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33111","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.3315","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33061","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33086","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33166","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33192","published_at":"2026-05-15T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33539","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33572","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33412","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33455","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.3349","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33493","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33452","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33428","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33464","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33439","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-28110"},{"reference_url":"https://github.com/cloudevents/sdk-go","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/cloudevents/sdk-go"},{"reference_url":"https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/"}],"url":"https://github.com/cloudevents/sdk-go/blob/67e389964131d55d65cd14b4eb32d57a47312695/v2/protocol/http/protocol.go#L104-L110"},{"reference_url":"https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/"}],"url":"https://github.com/cloudevents/sdk-go/commit/de2f28370b0d2a0f64f92c0c6139fa4b8a7c3851"},{"reference_url":"https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-07T16:39:07Z/"}],"url":"https://github.com/cloudevents/sdk-go/security/advisories/GHSA-5pf6-2qwx-pxm2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2268372","reference_id":"2268372","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2268372"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0040","reference_id":"RHSA-2024:0040","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0040"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1333","reference_id":"RHSA-2024:1333","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1333"}],"fixed_packages":[],"aliases":["CVE-2024-28110","GHSA-5pf6-2qwx-pxm2"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sajm-cnn5-jqac"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/openshift-pipelines-client@1.15.0-11496%3Farch=el8"}