Bobcallaway

**Name of the Vulnerable Software and Affected Versions** Rekor versions prior to 1.2.0 **Description** A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered, resulting in a 500 error message to the client, with minimal availability impact. **Recommendations** For versions prior to 1.2.0, upgrade to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `intoto/v0.0.2` type proposed entries until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Dex versions prior to 2.35.0 **Description** Dex is an identity service that uses OpenID Connect to drive authentication for other apps. An attacker can exploit this issue by making a victim navigate to a malicious website and guiding them through the OIDC flow, stealing the OAuth authorization code in the process. The authorization code can then be exchanged for a token, gaining access to applications accepting that token. **Recommendations** For versions prior to 2.35.0, update to version 2.35.0 to resolve the issue. As a temporary workaround, consider disabling public clients to minimize the risk of exploitation. Note that disabling public clients may impact behavior. There are no known workarounds for existing versions without impacting behavior.