Rekor
Monthly
Rekor versions 1.4.3 and earlier contain a server-side request forgery (SSRF) vulnerability in the /api/v1/index/retrieve endpoint that allows unauthenticated remote attackers to probe internal networks through blind SSRF attacks by supplying arbitrary URLs for public key retrieval. While the vulnerability cannot directly exfiltrate data or modify state since responses are not returned and only GET requests are supported, it enables reconnaissance of internal infrastructure. The issue is patched in version 1.5.0, or can be mitigated by disabling the retrieve API with --enable_retrieve_api=false.
Rekor versions 1.4.3 and below are vulnerable to denial of service through a null pointer dereference when processing malformed cose/v0.0.1 entries with empty spec.message fields. An unauthenticated remote attacker can trigger a panic in the Rekor process by sending a specially crafted entry, resulting in a 500 error response and temporary service disruption, though the thread recovery mechanism limits availability impact. The vulnerability has been patched in version 1.5.0.
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Rekor is an open source software supply chain transparency log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Rekor versions 1.4.3 and earlier contain a server-side request forgery (SSRF) vulnerability in the /api/v1/index/retrieve endpoint that allows unauthenticated remote attackers to probe internal networks through blind SSRF attacks by supplying arbitrary URLs for public key retrieval. While the vulnerability cannot directly exfiltrate data or modify state since responses are not returned and only GET requests are supported, it enables reconnaissance of internal infrastructure. The issue is patched in version 1.5.0, or can be mitigated by disabling the retrieve API with --enable_retrieve_api=false.
Rekor versions 1.4.3 and below are vulnerable to denial of service through a null pointer dereference when processing malformed cose/v0.0.1 entries with empty spec.message fields. An unauthenticated remote attacker can trigger a panic in the Rekor process by sending a specially crafted entry, resulting in a 500 error response and temporary service disruption, though the thread recovery mechanism limits availability impact. The vulnerability has been patched in version 1.5.0.
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Rekor is an open source software supply chain transparency log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.