Search CVE reports
1 – 10 of 18 results
CVE-2024-45338
Medium priorityAn attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
7 affected packages
adsys, containerd, golang-golang-x-net, golang-golang-x-net-dev, google-guest-agent...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| adsys | Needs evaluation | Needs evaluation | Needs evaluation | — | — |
| containerd | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| golang-golang-x-net | Needs evaluation | Needs evaluation | Not in release | — | — |
| golang-golang-x-net-dev | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
| google-guest-agent | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| juju-core | Not in release | Not in release | Not in release | — | Needs evaluation |
| lxd | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2024-45337
Medium priorityApplications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not...
3 affected packages
golang-go.crypto, lxd, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| lxd | Not in release | Not in release | Not affected | Needs evaluation | Needs evaluation |
| snapd | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2024-6219
Medium priorityMark Laing discovered in LXD's PKI mode, until version 5.21.1, that a restricted certificate could be added to the trust store with its restrictions not honoured.
1 affected package
lxd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| lxd | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2024-6156
Medium priorityMark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.
1 affected package
lxd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| lxd | Not in release | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
CVE-2023-49721
Medium priorityAn insecure default to allow UEFI Shell in EDK2 was left enabled in LXD. This allows an OS-resident attacker to bypass Secure Boot.
1 affected package
lxd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| lxd | Not in release | Not in release | Not affected | Not affected | Not affected |
CVE-2023-48795
Medium prioritySome fixes available 29 of 79
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation...
13 affected packages
dropbear, filezilla, golang-go.crypto, libssh, libssh2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| dropbear | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| filezilla | Fixed | Fixed | Fixed | Not affected | Not affected |
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| libssh | Not affected | Fixed | Fixed | Not affected | Not affected |
| libssh2 | Not affected | Not affected | Not affected | Not affected | Not affected |
| lxd | Not in release | Not in release | Not affected | Fixed | Fixed |
| openssh | Fixed | Fixed | Fixed | Fixed | Fixed |
| openssh-ssh1 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Not in release |
| paramiko | Fixed | Fixed | Fixed | Needs evaluation | Needs evaluation |
| proftpd-dfsg | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| putty | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| python-asyncssh | Fixed | Fixed | Fixed | Ignored | Ignored |
| snapd | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2021-43565
Medium priorityThe x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server.
3 affected packages
golang-go.crypto, lxd, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| lxd | — | — | Not affected | Not affected | Not affected |
| snapd | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2022-27191
Medium priorityThe golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
3 affected packages
golang-go.crypto, lxd, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| lxd | — | Not in release | Not affected | Not affected | Not affected |
| snapd | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2022-23806
Medium priorityCurve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17.x before 1.17.7 can incorrectly return true in situations with a big.Int value that is not a valid field element.
3 affected packages
golang-go.crypto, lxd, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-go.crypto | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| lxd | — | — | Not affected | Needs evaluation | Not affected |
| snapd | Not affected | Not affected | Not affected | Not affected | Not affected |
CVE-2020-29652
Medium prioritySome fixes available 8 of 20
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.
4 affected packages
golang-go.crypto, kubernetes, lxd, snapd
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| golang-go.crypto | Fixed | Fixed | Vulnerable | Not affected | Not affected |
| kubernetes | Needs evaluation | Needs evaluation | Needs evaluation | Not in release | Not in release |
| lxd | — | — | Not affected | Not affected | Not affected |
| snapd | Not affected | Not affected | Not affected | Not affected | Not affected |