81 lines
4.4 KiB
Plaintext
81 lines
4.4 KiB
Plaintext
.cache/
|
|
playwright/.auth/
|
|
|
|
# GHSA-69x3-g4r3-p962 / CVE-2026-25793: Nebula ECDSA Signature Malleability
|
|
# Severity: HIGH (CVSS 8.1) — Package: github.com/slackhq/nebula v1.9.7 in /usr/bin/caddy
|
|
# Cannot upgrade: smallstep/certificates v0.27.5 (latest stable as of 2026-02-19) still pins nebula v1.9.x.
|
|
# Charon does not use Nebula VPN PKI by default. Review by: 2026-03-05
|
|
# See also: .grype.yaml for full justification
|
|
CVE-2026-25793
|
|
|
|
# CVE-2026-22184: zlib Global Buffer Overflow in untgz utility
|
|
# Severity: CRITICAL (CVSS 9.8) — Package: zlib 1.3.1-r2 in Alpine base image
|
|
# No upstream fix available: Alpine 3.23 (including edge) still ships zlib 1.3.1-r2.
|
|
# Charon does not use untgz or process untrusted tar archives. Review by: 2026-03-14
|
|
# See also: .grype.yaml for full justification
|
|
CVE-2026-22184
|
|
|
|
# CVE-2026-27171: zlib CPU spin via crc32_combine64 infinite loop (DoS)
|
|
# Severity: MEDIUM (CVSS 5.5 NVD / 2.9 MITRE) — Package: zlib 1.3.1-r2 in Alpine base image
|
|
# Fix requires zlib >= 1.3.2. No upstream fix available: Alpine 3.23 still ships zlib 1.3.1-r2.
|
|
# Attack requires local access (AV:L); the vulnerable code path is not reachable via Charon's
|
|
# network-facing surface. Non-blocking by CI policy (MEDIUM). Review by: 2026-04-21
|
|
# exp: 2026-04-21
|
|
CVE-2026-27171
|
|
|
|
# CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade (libcrypto3/libssl3)
|
|
# Severity: HIGH (CVSS 7.5) — Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 in Alpine base image
|
|
# No upstream fix available: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
|
|
# When DEFAULT is in TLS 1.3 group config, server may select a weaker key exchange group.
|
|
# Charon terminates TLS at the Caddy layer — the Go backend does not act as a raw TLS 1.3 server.
|
|
# Review by: 2026-04-18
|
|
# See also: .grype.yaml for full justification
|
|
# exp: 2026-04-18
|
|
CVE-2026-2673
|
|
|
|
# CVE-2026-33186 / GHSA-p77j-4mvh-x3m3: gRPC-Go authorization bypass via missing leading slash
|
|
# Severity: CRITICAL (CVSS 9.1) — Package: google.golang.org/grpc, embedded in CrowdSec (v1.74.2) and Caddy (v1.79.1)
|
|
# Fix exists at v1.79.3 — Charon's own dep is patched. Waiting on CrowdSec and Caddy upstream releases.
|
|
# CrowdSec's and Caddy's grpc servers are not exposed externally in a standard Charon deployment.
|
|
# Review by: 2026-04-02
|
|
# See also: .grype.yaml for full justification
|
|
# exp: 2026-04-02
|
|
CVE-2026-33186
|
|
|
|
# GHSA-479m-364c-43vc: goxmldsig XML signature validation bypass (loop variable capture)
|
|
# Severity: HIGH (CVSS 7.5) — Package: github.com/russellhaering/goxmldsig v1.5.0, embedded in /usr/bin/caddy
|
|
# Fix exists at v1.6.0 — waiting on Caddy upstream (or caddy-security plugin) to release with patched goxmldsig.
|
|
# Charon does not configure SAML-based SSO by default; the vulnerable path is not reachable in a standard deployment.
|
|
# Review by: 2026-04-02
|
|
# See also: .grype.yaml for full justification
|
|
# exp: 2026-04-02
|
|
GHSA-479m-364c-43vc
|
|
|
|
# GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
|
|
# Severity: HIGH (CVSS 7.5) — Package: github.com/buger/jsonparser v1.1.1, embedded in CrowdSec binaries
|
|
# No upstream fix available as of 2026-03-19 (issue #275 open, golang/vulndb #4514 open).
|
|
# Charon does not use this package; the vector requires reaching CrowdSec's internal processing pipeline.
|
|
# Review by: 2026-04-19
|
|
# See also: .grype.yaml for full justification
|
|
# exp: 2026-04-19
|
|
GHSA-6g7g-w4f8-9c9x
|
|
|
|
# GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
|
# Severity: HIGH (CVSS 7.5) — Package: github.com/jackc/pgproto3/v2 v2.3.3, embedded in CrowdSec binaries
|
|
# pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5.
|
|
# Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment.
|
|
# Review by: 2026-04-19
|
|
# See also: .grype.yaml for full justification
|
|
# exp: 2026-04-19
|
|
GHSA-jqcq-xjh3-6g23
|
|
|
|
# GHSA-x6gf-mpr2-68h6 / CVE-2026-4427: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
|
|
# Severity: HIGH (CVSS 7.5) — Package: github.com/jackc/pgproto3/v2 v2.3.3, embedded in CrowdSec binaries
|
|
# NVD/Red Hat alias (CVE-2026-4427) for the same underlying bug as GHSA-jqcq-xjh3-6g23.
|
|
# pgproto3/v2 is archived/EOL — no fix will be released. Fix path requires CrowdSec to migrate to pgx/v5.
|
|
# Charon uses SQLite; the PostgreSQL code path is not reachable in a standard deployment.
|
|
# Review by: 2026-04-21
|
|
# See also: .grype.yaml for full justification
|
|
# exp: 2026-04-21
|
|
GHSA-x6gf-mpr2-68h6
|