Search CVE reports
11 – 13 of 13 results
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud....
4 affected packages
golang-github-dgrijalva-jwt-go, telegraf, golang-github-coreos-discovery-etcd-io, juju-core
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| golang-github-dgrijalva-jwt-go | Not in release | Not in release | Not affected | Ignored | Ignored |
| telegraf | Not in release | Not in release | Not affected | Not in release | Not in release |
| golang-github-coreos-discovery-etcd-io | Needs evaluation | Needs evaluation | Needs evaluation | Ignored | Not in release |
| juju-core | Not in release | Not in release | Not in release | Not in release | Not in release |
Juju Core's Joyent provider before version 1.25.5 uploads the user's private ssh key.
1 affected package
juju-core
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| juju-core | — | — | — | — | — |
Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.
2 affected packages
juju-core, juju-core-1
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| juju-core | — | — | — | — | — |
| juju-core-1 | — | — | — | — | — |