ALT-PU-2025-4551-4 — portainer

BDU:2025-00210

CRITICAL9.8

Уязвимость метода git-upload-pack библиотеки go-git, позволяющая нарушителю оказывать влияние на конфиденциальность, целостность и доступность защищаемой информации

Published: 2025-01-13Modified: 2025-08-01

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2025-21613

BDU:2025-01010

MEDIUM5.3

Уязвимость языка программирования Go, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-02-03Modified: 2025-12-08

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P

References

CVE-2024-45338

BDU:2025-01178

HIGH7.4

Уязвимость функции strbuf_getdelim_strip_crlf кроссплатформенного фреймворка для хранения учётных данных Git Credential Manager (GCM) распределенной системы управления версиями Git, позволяющая нарушителю раскрыть защищаемую информацию

Published: 2025-02-06

CVSS 3.xHIGH 7.4

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N

References

CVE-2024-50338

BDU:2025-06560

HIGH7.5

Уязвимость SSH-сервера языка программирования Golang, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-06-09Modified: 2025-12-08

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2025-22869

CVE-2024-45338

MEDIUM5.3

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Published: 2024-12-18Modified: 2026-04-15

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

CVE-2024-50338

HIGH7.4

Git Credential Manager (GCM) is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format `key=value`. Git's documentation restricts the use of the NUL (`\0`) character and newlines to form part of the keys or values. When Git reads from standard input, it considers both LF and CRLF as newline characters for the credential protocol by virtue of calling `strbuf_getline` that calls to `strbuf_getdelim_strip_crlf`. Git also validates that a newline is not present in the value by checking for the presence of the line-feed character (LF, `\n`), and errors if this is the case. This captures both LF and CRLF-type newlines. Git Credential Manager uses the .NET standard library `StreamReader` class to read the standard input stream line-by-line and parse the `key=value` credential protocol format. The implementation of the `ReadLineAsync` method considers LF, CRLF, and CR as valid line endings. This is means that .NET considers a single CR as a valid newline character, whereas Git does not. This mismatch of newline treatment between Git and GCM means that an attacker can craft a malicious remote URL. When a user clones or otherwise interacts with a malicious repository that requires authentication, the attacker can capture credentials for another Git remote. The attack is also heightened when cloning from repositories with submodules when using the `--recursive` clone option as the user is not able to inspect the submodule remote URLs beforehand. This issue has been patched in version 2.6.1 and all users are advised to upgrade. Users unable to upgrade should only interact with trusted remote repositories, and not clone with `--recursive` to allow inspection of any submodule URLs before cloning those submodules.

Published: 2025-01-14Modified: 2026-04-15

CVSS 3.xHIGH 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References

CVE-2025-21613

CRITICAL9.2

go-git is a highly extensible git implementation library written in pure Go. An argument injection vulnerability was discovered in go-git versions prior to v5.13. Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries. This vulnerability is fixed in 5.13.0.

Published: 2025-01-06Modified: 2025-04-17

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0CRITICAL 9.2

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear

References

https://github.com/go-git/go-git/security/advisories/GHSA-v725-9546-7q7m

CVE-2025-22869

HIGH7.5

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Published: 2025-02-26Modified: 2025-05-01

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

GHSA-86c2-4x57-wc8g

HIGH7.4

Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials

Published: 2025-01-14Modified: 2025-01-15

CVSS 3.xHIGH 7.4

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References

GHSA-hcg3-q754-cr77

HIGH7.5

golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

Published: 2025-04-12Modified: 2025-04-14

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

GHSA-v725-9546-7q7m

CRITICAL9.2

go-git has an Argument Injection via the URL field

Published: 2025-01-06Modified: 2025-01-06

CVSS 3.xCRITICAL 9.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0CRITICAL 9.2

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear

References

GHSA-w32m-9786-jp63

HIGH8.7

Non-linear parsing of case-insensitive content in golang.org/x/net/html

Published: 2024-12-19Modified: 2025-03-16

CVSS 4.0HIGH 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

Package update portainer in branch sisyphus

Closed issues (12)

Уязвимость метода git-upload-pack библиотеки go-git, позволяющая нарушителю оказывать влияние на конфиденциальность, целостность и доступность защищаемой информации

Уязвимость языка программирования Go, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость SSH-сервера языка программирования Golang, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials

golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange

go-git has an Argument Injection via the URL field

Non-linear parsing of case-insensitive content in golang.org/x/net/html