Top vulnerabilities found across the most recent 1 million SBOMs on SBOM.sh

CVE-2024-24786
Severity: medium

Occurrences: 93700

The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf....

CVE-2024-28180
Severity: medium

Occurrences: 83962

Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memo...

CVE-2023-39318
Severity: medium

Occurrences: 59727

The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the c...

CVE-2023-39326
Severity: medium

Occurrences: 58914

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can ...

CVE-2023-39319
Severity: medium

Occurrences: 58899

The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to i...

CVE-2023-45288
Severity: high

Occurrences: 56285

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEA...

CVE-2023-29406
Severity: medium

Occurrences: 54894

The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses t...

CVE-2023-29409
Severity: medium

Occurrences: 48322

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted...

CVE-2022-41723
Severity: high

Occurrences: 44901

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests....

CVE-2023-39325
Severity: high

Occurrences: 44063

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server....

CVE-2023-29403
Severity: high

Occurrences: 41703

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming t...

CVE-2022-48303
Severity: medium

Occurrences: 40673

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The iss...

CVE-2023-24539
Severity: high

Occurrences: 35103

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the C...

CVE-2023-29400
Severity: high

Occurrences: 35103

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This ma...

CVE-2023-24532
Severity: medium

Occurrences: 34952

The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars (a scalar larger than the order of the curve). This does not i...

Most used packages in the reported SBOMs

github.com/beorn7/perks
Version: v1.0.1

PURL: pkg:golang/github.com/beorn7/perks@v1.0.1

github.com/pkg/errors
Version: v0.9.1

PURL: pkg:golang/github.com/pkg/errors@v0.9.1

github.com/spf13/pflag
Version: v1.0.5

PURL: pkg:golang/github.com/spf13/pflag@v1.0.5

gopkg.in/yaml.v3
Version: v3.0.1

PURL: pkg:golang/gopkg.in/yaml.v3@v3.0.1

github.com/spf13/cast
Version: v1.5.0

PURL: pkg:golang/github.com/spf13/cast@v1.5.0

github.com/magiconair/properties
Version: v1.8.7

PURL: pkg:golang/github.com/magiconair/properties@v1.8.7

github.com/prometheus/client_model
Version: v0.2.0

PURL: pkg:golang/github.com/prometheus/client_model@v0.2.0

github.com/mitchellh/mapstructure
Version: v1.5.0

PURL: pkg:golang/github.com/mitchellh/mapstructure@v1.5.0

github.com/hashicorp/hcl
Version: v1.0.0

PURL: pkg:golang/github.com/hashicorp/hcl@v1.0.0

github.com/grpc-ecosystem/go-grpc-middleware
Version: v1.3.0

PURL: pkg:golang/github.com/grpc-ecosystem/go-grpc-middleware@v1.3.0

github.com/cespare/xxhash/v2
Version: v2.2.0

PURL: pkg:golang/github.com/cespare/xxhash/v2@v2.2.0

github.com/russross/blackfriday/v2
Version: v2.1.0

PURL: pkg:golang/github.com/russross/blackfriday/v2@v2.1.0

github.com/prometheus/procfs
Version: v0.7.3

PURL: pkg:golang/github.com/prometheus/procfs@v0.7.3

github.com/golang/protobuf
Version: v1.5.3

PURL: pkg:golang/github.com/golang/protobuf@v1.5.3

github.com/cpuguy83/go-md2man/v2
Version: v2.0.2

PURL: pkg:golang/github.com/cpuguy83/go-md2man/v2@v2.0.2