GitHub Advisory Database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
GitHub reviewed advisories
Unreviewed advisories
Language support
Unreviewed advisories have not been assessed by GitHub for quality and do not connect to the Dependabot service.
Filter advisories
Filter advisories
GitHub reviewed advisories
All reviewed
5,000+
Composer
4,062
Erlang
29
GitHub Actions
19
Go
1,889
Maven
5,000+
npm
3,622
NuGet
638
pip
3,233
Pub
10
RubyGems
857
Rust
818
Swift
35
Unreviewed advisories
All unreviewed
5,000+
78 advisories
Filter by severity
Team scope authorization bypass when Post/Put request with :team_name in body, allows HTTP parameter pollution
Moderate
CVE-2022-31683
was published
for
github.com/concourse/concourse
(Go)
Oct 19, 2022
OpenFGA Authorization Bypass
Moderate
CVE-2022-39352
was published
for
github.com/openfga/openfga
(Go)
Nov 8, 2022
On a compromised node, the virt-handler service account can be used to modify all node specs
High
CVE-2023-26484
was published
for
kubevirt.io/kubevirt
(Go)
Mar 16, 2023
Potential network policy bypass when routing IPv6 traffic
Moderate
CVE-2023-27594
was published
for
github.com/cilium/cilium
(Go)
Mar 17, 2023
Privilege escalation in MOSN
Critical
CVE-2021-32163
was published
for
mosn.io/mosn
(Go)
Feb 17, 2023
KubeOperator allows unauthorized access to system API
High
CVE-2023-22480
was published
for
github.com/KubeOperator/KubeOperator
(Go)
Jan 9, 2023
Users with any cluster secret update access may update out-of-bounds cluster secrets
Critical
CVE-2023-23947
was published
for
github.com/argoproj/argo-cd
(Go)
Feb 16, 2023
OIDC claims not updated from Identity Provider in Pomerium
Moderate
CVE-2021-41230
was published
for
github.com/pomerium/pomerium
(Go)
Nov 10, 2021
Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification
High
CVE-2022-2989
was published
for
github.com/containers/podman/v3
(Go)
Sep 14, 2022
Improper Input Validation
Moderate
CVE-2021-3499
was published
for
github.com/ovn-org/ovn-kubernetes
(Go)
Jun 8, 2021
gomatrixserverlib and Dendrite vulnerable to incorrect parsing of the event default power level in event auth
Moderate
CVE-2022-36009
was published
for
github.com/matrix-org/dendrite
(Go)
Aug 30, 2022
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification
High
CVE-2022-2990
was published
for
github.com/containers/buildah
(Go)
Sep 14, 2022
JWT audience claim is not verified
Critical
CVE-2023-22482
was published
for
github.com/argoproj/argo-cd
(Go)
Jan 25, 2023
Incorrect Privilege Assignment in HashiCorp Vault
High
CVE-2021-42135
was published
for
github.com/hashicorp/vault
(Go)
Oct 12, 2021
Incorrect Authorization in HashiCorp Consul
Moderate
CVE-2020-7955
was published
for
github.com/hashicorp/consul
(Go)
Jul 28, 2021
Incorrect Authorization in ORY Oathkeeper
High
CVE-2021-32701
was published
for
github.com/ory/oathkeeper
(Go)
Jun 24, 2021
Incorrect Authorization with specially crafted requests
High
CVE-2021-39206
was published
for
github.com/pomerium/pomerium
(Go)
Sep 10, 2021
Capsule vulnerable to privilege escalation by ServiceAccount deployed in a Tenant Namespace
High
CVE-2022-46167
was published
for
github.com/clastix/capsule
(Go)
Dec 5, 2022
Broken Authorization in ZITADEL Actions
High
CVE-2022-36051
was published
for
github.com/zitadel/zitadel
(Go)
Aug 30, 2022
HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply endpoint allowed services to register proxies for other services, enabling access to service traffic.
Moderate
CVE-2021-38698
was published
for
github.com/hashicorp/consul
(Go)
Sep 8, 2021
AAD Pod Identity obtaining token with backslash
Moderate
CVE-2022-23551
was published
for
github.com/Azure/aad-pod-identity
(Go)
Dec 21, 2022
Exposure of repository credentials to external third-party sources in Rancher
High
CVE-2021-36778
was published
for
github.com/rancher/rancher
(Go)
May 2, 2022
Istio may allow identity impersonation if user has localhost access
High
CVE-2022-39388
was published
for
github.com/istio/istio
(Go)
Nov 9, 2022
Duplicate advisory: Configuration exposure in github.com/coreos/ignition
Moderate
GHSA-mjqc-5c9x-xfcc
was published
for
github.com/coreos/ignition/v2
(Go)
May 18, 2022
•
withdrawn
Istio Fragments in Path May Lead to Authorization Policy Bypass
High
CVE-2021-39156
was published
for
istio.io/istio
(Go)
Aug 30, 2021
ProTip!
Advisories are also available from the
GraphQL API