Search CVE reports
1 – 6 of 6 results
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing,...
7 affected packages
golang-golang-x-net, google-guest-agent, containerd, golang-golang-x-net-dev, adsys...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-golang-x-net | Needs evaluation | Needs evaluation | Not in release | Not in release |
| google-guest-agent | Not affected | Not affected | Not affected | Not affected |
| containerd | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation |
| adsys | Needs evaluation | Needs evaluation | Needs evaluation | — |
| juju-core | — | — | — | — |
| lxd | — | — | Needs evaluation | Needs evaluation |
Some fixes available 11 of 13
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
7 affected packages
lxd, adsys, golang-golang-x-net, golang-golang-x-net-dev, juju-core...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| lxd | Not in release | Not in release | Not affected | Not affected |
| adsys | Fixed | Fixed | Fixed | — |
| golang-golang-x-net | Fixed | Fixed | Not in release | — |
| golang-golang-x-net-dev | Not in release | Not in release | Fixed | Fixed |
| juju-core | Not in release | Not in release | Not in release | — |
| containerd | Not affected | Not affected | Not affected | Not affected |
| google-guest-agent | Not affected | Not affected | Not affected | Not affected |
An authenticated user who has read access to the juju controller model, may construct a remote request to download an arbitrary file from the controller's filesystem.
2 affected packages
juju-core, juju
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| juju-core | Not in release | Not in release | Not in release | — |
| juju | — | — | — | — |
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud....
4 affected packages
golang-github-dgrijalva-jwt-go, telegraf, golang-github-coreos-discovery-etcd-io, juju-core
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| golang-github-dgrijalva-jwt-go | Not in release | Not affected | Needs evaluation | Needs evaluation |
| telegraf | Not in release | Needs evaluation | Not in release | Not in release |
| golang-github-coreos-discovery-etcd-io | Needs evaluation | Needs evaluation | Needs evaluation | Not in release |
| juju-core | Not in release | Not in release | Not in release | Not in release |
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.
2 affected packages
juju-core, juju-core-1
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| juju-core | — | — | — | — |
| juju-core-1 | — | — | — | — |
Juju Core's Joyent provider before version 1.25.5 uploads the user's private ssh key.
1 affected package
juju-core
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| juju-core | — | — | — | — |