This repository was archived by the owner on Jul 7, 2026. It is now read-only.
Security: Netflix/lemur
Security
No security policy detected
This project has not set up a SECURITY.md file yet.
-
Unchecked `replaces[]` lets any user silence notifications and hijack auto-rotation for arbitrary certificatesGHSA-cfh6-pv5c-38jv published
Jul 6, 2026 by PJ1288High -
Sub-CA creation never checks `AuthorityPermission` on the parent authorityGHSA-g7p5-89mh-248h published
Jul 6, 2026 by PJ1288Moderate -
Any user can revoke arbitrary certificates at the CA by uploading a duplicate record and revoking itGHSA-pxmc-2ffp-8j67 published
Jul 6, 2026 by PJ1288High -
Server-Side Request Forgery via the ACME client following server-controlled URLsGHSA-xpmj-wjcp-6pww published
Jul 6, 2026 by PJ1288High -
Authenticated low-privilege users can read plaintext destination credentials (SFTP password / private-key passphrase) via the destinations APIGHSA-6c8m-q6g9-vrw3 published
Jul 6, 2026 by PJ1288High -
Incomplete fix for GHSA-v2wp-frmc-5q3v -- ACME authority update endpoint allows non-admin to replace `acme_url` with internal IP, bypassing allowlistGHSA-v5rc-cpwc-cfpr published
Jul 6, 2026 by PJ1288High -
SSRF protection in certificate revocation checking bypassable via HTTP redirects and DNS rebinding (incomplete fix for GHSA-54vg-pfh7-jq95)GHSA-f3qq-49m6-rw8f published
Jul 6, 2026 by PJ1288Moderate -
Missing authorization check on POST /certificates/<id>/export for plugins with requires_key = FalseGHSA-4h97-p9wq-chqj published
Jul 6, 2026 by PJ1288Moderate -
Post-authentication SSRF via certificate verification - attacker-controlled CRL and OCSP URLs in uploaded certificatesGHSA-54vg-pfh7-jq95 published
Jun 10, 2026 by PJ1288Moderate -
Privilege escalation via PUT /api/1/roles/<id> — non-admin role members can rewrite role membershipGHSA-x3vf-mgxj-7785 published
Jun 10, 2026 by PJ1288Moderate
Learn more about advisories related to Netflix/lemur in the GitHub Advisory Database