Ada Logics has been trusted with auditing some of the worlds most critical software from container runtimes to web frameworks to Kubernetes itself. We audit both software packages that have had few security eyes on them and packages and projects that have been scrutinized by many other teams.
We have found vulnerabilities in the biggest and most widely used open-source software projects.
20/11-2024
Cert-Manager
Potential slowdown / DoS when parsing specially crafted PEM inputs
Low
18/10-2024
Keycloak
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
High
1/10-2024
Go-TUF
Incorrect delegation lookups can make go-tuf download the wrong artifact
High
30/9-2024
expressjs/basic-auth-connect
basic-auth-connect's callback uses time unsafe string comparison
Low
10/9-2024
expressjs/body-parser
body-parser vulnerable to denial of service when url encoding is enabled
High
10/9-2024
Express.js
express vulnerable to XSS via response.redirect()
Low
10/9-2024
pillarjs/send
send vulnerable to template injection that can lead to XSS
Low
4/9-2024
Sigstore-go
sigstore-go has an unbounded loop over untrusted input can lead to endless data attack
Low
18/6-2024
Minder
Minder affected by denial of service from maliciously configured Git repository
Moderate
27/5-2024
Minder
Denial of service of Minder Server from maliciously crafted GitHub attestations
Moderate
20/5-2024
Minder
Stacklok Minder vulnerable to denial of service from maliciously crafted templates
Moderate
16/5-2024
Minder
Denial of service of Minder Server with attacker-controlled REST endpoint
Moderate
15/5-2024
fastify-secure-session
@fastify/secure-session: Reuse of destroyed secure session cookie
High
7/5-2024
Minder
Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests
High
10/4-2024
Sigstore Cosign
Cosign malicious attachments can cause system-wide denial of service
Moderate
10/4-2024
Sigstore Cosign
Cosign malicious artifacts can cause machine-wide DoS
Moderate
3/1-2024
Knative Serving
Authenticated users can crash the CubeFS servers with maliciously crafted requests
High
3/1-2024
CubeFS
Authenticated users can crash the CubeFS servers with maliciously crafted requests
High
3/1-2024
CubeFS
CubeFS timing attack can leak user passwords
High
3/1-2024
CubeFS
Insecure random string generator used for sensitive data
High
3/1-2024
CubeFS
CubeFS leaks magic secret key when starting Blobstore access service
High
3/1-2024
CubeFS
CubeFS leaks users key in logs
Moderate
27/11-2023
Knative Serving
Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler
Moderate
13/11-2023
Kyverno
Attacker can cause Kyverno user to unintentionally consume insecure image
High
7/11-2023
Sigstore Cosign
Cosign vulnerable to possible endless data attack from attacker-controlled registry
Low
7/11-2023
Crossplane
Possible image tampering from missing image validation for Packages
High
29/9-2023
Apache Avro Java SDK
Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
High
27/7-2023
Crossplane
Denial of service from large image
Low
16/7-2023
Avro
avro vulnerable to denial of service via attacker-controlled parameter
High
13/07-2023
Istio
Unauthenticated control plane denial of service attack in Istio
High
6/6-2023
Notation
Notation vulnerable to denial of service from high number of artifact signatures
Moderate
6/6-2023
Notation
Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack
Moderate
6/6-2023
Notation-go
notation-go's verification bypass can cause users to verify the wrong artifact
Moderate
11/5-2023
Vitess
VTAdmin users that can create shards can deny access to other functions
Moderate
3/5-2023
Rekor
Rekor's compressed archives can result in OOM conditions
High
11/4-2023
Vitess
Vitess allows users to create keyspaces that can deny access to already existing keyspaces
Moderate
9/3-2023
Crossplane-runtime
fieldpath's Paved.SetValue allows growing arrays up to arbitrary sizes in crossplane-runtime
Moderate
9/3-2023
Crossplane
Crossplane-runtime contains Improper Input Validation via Compositions
Moderate
20/2-2023
Helm
notation-go has excessive memory allocation on verification
High
16/2-2023
containerd
OCI image importer memory exhaustion
Moderate
27/1-2023
ArgoCD
Argo CD certificate verification is skipped for connections to OIDC providers
High
14/12-2022
Helm
Helm vulnerable to denial of service through string value parsing
Moderate
14/12-2022
Helm
Helm vulnerable to denial of service through through repository index file
Moderate
14/12-2022
Helm
Helm vulnerable to denial of service through schema file
Moderate
14/10-2022
Golang
Reader.Read does not set a limit on the maximum size
High
14/10-2022
Golang
golang.org/x/text/language Denial of service via crafted Accept-Language header
High
3/10-2022
Jackson-Databind
Uncontrolled Resource Consumption in FasterXML jackson-databind
High
24/8-2022
Helm
Helm Vulnerable to denial of service through string value parsing
Moderate
24/8-2022
Jackson-Databind
Uncontrolled Resource Consumption in Jackson-databind
High
12/7-2022
ArgoCD
Argo CD SSO users vulnerable to Cross-site Scripting
Low
13/7-2022
containerd
Insecure path traversal in Git Trigger Source can lead to arbitrary file read
High
11/7-2022
KubeEdge
KubeEdge Edge ServiceBus module DoS
Moderate
11/7-2022
KubeEdge
KubeEdge Cloud AdmissionController component DoS
Moderate
11/7-2022
KubeEdge
KubeEdge DoS when signing the CSR from EdgeCore
Moderate
11/7-2022
KubeEdge
KubeEdge CloudCore Router memory exhaustion vulnerability
Moderate
11/7-2022
KubeEdge
KubeEdge Cloud Stream and Edge Stream DoS from large stream message
Moderate
11/7-2022
KubeEdge
DoS in KubeEdge's Websocket Client in package Viaduct
Moderate
26/6-2022
KubeEdge
CloudCore CSI Driver: Malicious response from KubeEdge can crash CSI Driver controller server
Moderate
24/6-2022
KubeEdge
CloudCore UDS Server: Malicious Message can crash CloudCore
Moderate
21/6-2022
ArgoCD
Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params
High
21/6-2022
ArgoCD
Argo CD's external URLs for Deployments can include JavaScript
Critical
21/6-2022
ArgoCD
Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server
Moderate
21/6-2022
ArgoCD
DoS through large manifest files in Argo CD
Moderate
6/6-2022
cri-o
Node DOS by way of memory exhaustion through ExecSync request in CRI-O
High
6/6-2022
containerd
containerd CRI plugin: Host memory exhaustion through ExecSync
Moderate
11/11-2021
FluxCD kustomize-controller
Privilege escalation to cluster admin on multi-tenant environments
High
