GHSA-59M6-82QM-VQGJ Dapr API token authentication bypass in HTTP endpoints

Summary A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10....

Dapr API token authentication bypass in HTTP endpoints

Summary A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10....

CVE-2023-37918 API token authentication bypass in HTTP endpoints in Dapr

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HT...

CVE-2023-37918 API token authentication bypass in HTTP endpoints in Dapr

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HT...

CVE-2023-37918 API token authentication bypass in HTTP endpoints in Dapr

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HT...

CVE-2023-37918

CVE-2023-37918 affects Dapr and describes an API-token authentication bypass in HTTP endpoints when API token authentication is enabled. The root cause involves health check endpoint allowlisting, where requests containing /healthz in the URL could bypass the dapr-api-token check and reach the Da...

Fortinet Fortigate Existing websocket connection persists after deleting API admin (FG-IR-23-028)

The version of Fortigate installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-23-028 advisory. - An insufficient session expiration in Fortinet FortiOS 7.0.0 - 7.0.12 and 7.2.0 - 7.2.4 allows an attacker to execute...

Mozilla: Mozilla FuzzManager API Token Exposed in Git Commit

An API token for a Mozilla fuzzing service was exposed in a GitHub repository commit. The token provided read-write access to internal fuzzing data. The token was rotated and configured for write-only access...

Bludit 4.0.0-rc-2 - Account takeover

Exploit Title: Bludit 4.0.0-rc-2 - Account takeover Author: nu11secur1ty Date: 04.11.2013 Vendor: https://www.bludit.com/ Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2 Reference: https://www.cloudflare.com/learning/access-management/account-takeover/ Reference:...

Bludit 4.0.0-rc-2 Privilege Escalation Vulnerability

Bludit version 4.0.0-rc-2 suffers from an account takeover vulnerability due to an API key that can be abused to change the administrative password. Title: Bludit-4.0.0-rc-2 - Release candidate 2 Account takeover: API token vulnerability Author: nu11secur1ty Date: 04.11.2013 Vendor:...

Bludit 4.0.0-rc-2 Privilege Escalation

Title: Bludit-4.0.0-rc-2 - Release candidate 2 Account takeover: API token vulnerability Author: nu11secur1ty Date: 04.11.2013 Vendor: https://www.bludit.com/ Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2 Reference:...

Predictions for 2023 from Latest API Threat Research | API Security Newsletter

March has arrived and is roaring like a very confused lion, at least in the northern hemisphere. And much like in the wild, brood production is increasing. Weve already seen some fruits of that labor, such as the Q4-2022 and 2022 Year-End ThreatStats™ Report, and some very tasty product upgrades...

Local file inclusion leading to RCE

Description The api handling endpoint allows for a local file inclusion that can lead to remote code execution. It requires a valid api token which can be obtained via a database backup with account access, a number of different sql injections with account access, or stolen from a user. Proof of...

SUSE CVE-2014-2062

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token...

SUSE CVE-2022-21673

Grafana is an open-source platform for monitoring and observability. In affected versions when a data source has the Forward OAuth Identity feature enabled, sending a query to that datasource with an API token and no other user credentials will forward the OAuth Identity of the most recently...

Authentication flaw

The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets. Users running the Synthetic Monitoring agent prior to version 0.12.0 in their local network are impacted. The authentication token...

CVE-2022-46156 Grafana's default installation of `synthetic-monitoring-agent` exposes sensitive information

The Synthetic Monitoring Agent for Grafana's Synthetic Monitoring application provides probe functionality and executes network checks for monitoring remote targets. Users running the Synthetic Monitoring agent prior to version 0.12.0 in their local network are impacted. The authentication token...

grafana: Forward OAuth Identity Token can allow users to access some data sources

An information-disclosure flaw was found in grafana. When a data source has the Forward OAuth Identity feature enabled, sending a query to that data source with an API token and no other user credentials will forward the OAuth Identity of the most recently logged-in user. This flaw allows API tok...

AMBER AI: Support Portal Takeover via Leaked API KEY

Thanks @khizer47 for the report. Insecure zendesk API token hardcoded in JS file, causing Support portals to lose control of administrator rights. We removed dangerous token and controlled permissions by using more secure OAuth token. An API key & associated Email was Hardcoded into a JS file...

GHSA-FMQ9-R4P2-8272 API token stored in plain text by Jenkins CONS3RT Plugin

Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller as part of its configuration. This API token can be viewed by users with access to the Jenkins controller file system...