Affected by GO-2023-2397
and 4 other vulnerabilities
GO-2023-2397: User with permission to write actions can impersonate another user when auth token is configured in environment variable in github.com/treeverse/lakefs
GO-2024-2581: User with ci:ReadAction permissions and write permissions to one path in a repository may copy objects from any path in the repository in github.com/treeverse/lakefs
GO-2024-3291: Re-creating a deleted user in lakeFS will re-enable previous user credentials that existed prior to its deletion in github.com/treeverse/lakefs
GO-2025-3479: lakeFS allows an authenticated user to cause a crash by exhausting server memory in github.com/treeverse/lakefs
GO-2025-4090: lakeFS affected by unauthenticated access to API usage metrics in github.com/treeverse/lakefs
Package encoding defines Claims for interoperable external services to
use in JWTs. An external service that imports this package receives a
Claims with a stable gob encoding.
OIDCClaimsSerdeNickname is the typename used to serialize Claims using
gob encoding in JWT. It is the default value that gob would give had
Claims been part of auth. It is not (any longer), explicitly to allow
external services to serialize matching claims.
Affected by 
Documentation
¶
Source Files