CVE-2024-49755

Duende IdentityServer (ASP.NET Core) Local API authentication handler improperly validates the cnf claim in DPoP access tokens. This lets an attacker use leaked DPoP tokens at local API endpoints without the private key, affecting only endpoints explicitly using LocalApiAuthenticationHandler for ...

CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

CVE-2024-49755 Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Duende IdentityServer is an OpenID Connect and OAuth 2.x framework for ASP.NET Core. IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even...

Duende IdentityServer has insufficient validation of DPoP cnf claim in Local APIs

Impact IdentityServer's local API authentication handler performs insufficient validation of the cnf claim in DPoP access tokens. This allows an attacker to use leaked DPoP access tokens at local api endpoints even without possessing the private key for signing proof tokens. Note that this only...

Cisco AnyConnect VPN 竞争条件问题漏洞

Cisco AnyConnect VPN is a virtual private network VPN client from Cisco that supports remote users connecting to corporate networks via SSL VPN and IPSec VPN. Cisco AnyConnect VPN suffers from a Competitive Condition Issue vulnerability that stems from a weak entropy value of the handler used in...

Cisco AnyConnect VPN 资源管理错误漏洞

Cisco AnyConnect VPN is a virtual private network VPN client from Cisco that supports remote users connecting to corporate networks via SSL VPN and IPSec VPN. Cisco AnyConnect VPN suffers from a Resource Management Error vulnerability that stems from a weak entropy value of the handler used in th...

Cisco AnyConnect VPN 安全漏洞

Cisco AnyConnect VPN is a virtual private network VPN client from Cisco that supports remote users connecting to corporate networks via SSL VPN and IPSec VPN. Cisco AnyConnect VPN suffers from a security vulnerability that stems from a weak entropy value of the handler used in the VPN...

Cisco AnyConnect VPN 缓冲区错误漏洞

Cisco AnyConnect VPN is a virtual private network VPN client from Cisco that supports remote users connecting to corporate networks via SSL VPN and IPSec VPN. Cisco AnyConnect VPN suffers from a buffer error vulnerability that stems from a weak entropy value of the handler used in the VPN...

PT-2024-20201 · Autel · Autel Maxicharger Ac Elite Business C50

Name of the Vulnerable Software and Affected Versions: Autel MaxiCharger AC Elite Business C50 affected versions not specified Description: This issue allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Elite Business C50 charging stations...

CVE-2023-32081

Vert.x STOMP is a vert.x implementation of the STOMP specification that provides a STOMP server and client. From versions 3.1.0 until 3.9.16 and 4.0.0 until 4.4.2, a Vert.x STOMP server processes client STOMP frames without checking that the client send an initial CONNECT frame replied with a...

python: urllib: Regular expression DoS in AbstractBasicAuthHandler

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client such as web browser connects to, could trigger a Regular Expression Denial of Service ReDOS during an authentication request with a specially crafted payload that is sen...

python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS

An uncontrolled resource consumption vulnerability was discovered in python in the class AbstractBasicAuthHandler, due to the kind of regular expression used while handling an authentication request in the httperrorauthreqed method. Client applications that use, directly or indirectly,...

python-paramiko: Authentication bypass in auth_handler.py

Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server that can result in RCE. This attack appear to be exploitable via network connectivity...