| CVE ID |
Score |
Summary |
Resolution |
Scanners |
Published |
| CVE-2024-13176 |
0.00 |
Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.
Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency.
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low.
The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue. |
INVALID: CVE applies to no Cvss score, not applicable |
trivy: Medium |
2025-01-20T14:15:00Z |
| CVE-2025-0395 |
0.00 |
When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. |
INVALID: CVE applies to no Cvss score, not applicable |
trivy: Medium |
2025-01-22T13:15:00Z |
| CVE-2025-27144 |
0.00 |
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. In versions on the 4.x branch prior to version 4.0.5, when parsing compact JWS or JWE input, Go JOSE could use excessive memory. The code used strings.Split(token, ".") to split JWT tokens, which is vulnerable to excessive memory consumption when processing maliciously crafted tokens with a large number of `.` characters. An attacker could exploit this by sending numerous malformed tokens, leading to memory exhaustion and a Denial of Service. Version 4.0.5 fixes this issue. As a workaround, applications could pre-validate that payloads passed to Go JOSE do not contain an excessive number of `.` characters. |
INVALID: CVE applies to no Cvss score, not applicable |
scout: Medium
trivy: Medium |
2025-02-24T23:15:00Z |
| CVE ID |
Score |
Summary |
Resolution |
Scanners |
Published |
| CVE-2010-4756 |
0.00 |
The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. |
INVALID: CVE applies to no Cvss score, not applicable |
trivy: Low |
2011-03-02T20:00:00Z |
| CVE-2018-20796 |
7.50 |
In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\\1\\1|t1|\\\2537)+' in grep. |
|
trivy: Low |
2019-02-26T02:29:00Z |
| CVE-2019-1010022 |
9.80 |
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. |
|
trivy: Low |
2019-07-15T04:15:00Z |
| CVE-2019-1010023 |
8.80 |
GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. |
|
trivy: Low |
2019-07-15T04:15:00Z |
| CVE-2019-1010024 |
5.30 |
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. |
|
trivy: Low |
2019-07-15T04:15:00Z |
| CVE-2019-1010025 |
5.30 |
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. |
|
trivy: Low |
2019-07-15T04:15:00Z |
| CVE-2019-9192 |
7.50 |
In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\\1\\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern |
|
trivy: Low |
2019-02-26T18:29:00Z |