GHSA-WFQX-GJRF-G28R
go · github.com/crossplane/crossplane/v2
Summary
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag
References
Related vulnerabilities
All Supply chain →- MEDIUMGHSA-WVRH-2F4M-924V
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
- HIGHGHSA-M4W9-HJFW-VWJ4
http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`
- HIGHGHSA-GQV6-PWCG-87R8
CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages
- HIGHGHSA-48PQ-2XQ3-C2M4
CoreWCF: SAML SubjectConfirmation methods and holder-of-key proof keys are not enforced
- MEDIUMGHSA-6JJ2-4Q5C-X8G6
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance
- HIGHGHSA-RPJ7-HR7H-W6P9
CoreWCF: SamlSerializer skips SignatureValue verification when SAML signing token is not an X.509 certificate