86 matches found
Rancher 安全漏洞
Rancher is an open source container management platform from the US-based Rancher Open Source, built for organizations deploying containers in production environments. A security vulnerability exists in Rancher versions prior to 2.7.14 and prior to 2.8.5, which stems from a failure to automatical...
CVE-2024-7128 Openshift-console: unauthenticated data exposure
A flaw was found in the OpenShift console. Several endpoints in the application use the authHandler and authHandlerWithUser middleware functions. When the default authentication provider "openShiftAuth" is set, these functions do not perform any authentication checks, relying instead on the...
GO-2024-2931 Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...
SUSE CVE-2023-22650
A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider AP. This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the user's...
GHSA-9GHH-MMCQ-8PHC Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider
Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider AP. This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the...
Rancher does not automatically clean up a user deleted or disabled from the configured Authentication Provider
Impact A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider AP. This characteristic also applies to disabled or revoked users, Rancher will not reflect these modifications which may leave the...
PT-2024-11972
Name of the Vulnerable Software and Affected Versions Rancher versions prior to 2.7.14 Rancher versions prior to 2.8.5 Description A vulnerability has been identified in which Rancher does not automatically clean up a user which has been deleted from the configured authentication provider. This...
Security Bulletin: Due to use of Apache Pulsar, IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to security restrictions bypass
Summary Pulsar is used by IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library. CVE-2023-51437 The below vulnerability have been addressed. Vulnerability Details CVEID:CVE-2023-51437 DESCRIPTION: Apache Pulsar could allow a remote attacker to bypass security restrictions, caused...
Design/Logic Flaw
Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers CAS, SAML, OIDC to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication...
Apache Pulsar SASL Authentication Provider observable timing discrepancy vulnerability
Observable timing discrepancy vulnerability in Apache Pulsar SASL Authentication Provider can allow an attacker to forge a SASL Role Token that will pass signature verification. Users are recommended to upgrade to version 2.11.3, 3.0.2, or 3.1.1 which fixes the issue. Users should also consider...
CVE-2023-40171 Dispatch writes JWT tokens in error message
Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the Dispatch Plugin - Basic Authentication Provider plugin encounters an error when attempting to decode a JWT token. Any Dispatch users...
Session Fixation
github.com/rancher/rancher is vulnerable to Session Fixation. The vulnerability exists because the library does not properly revoke the generated token after modification is made to the authentication provider, allowing an attacker to retain access to Rancher and the kubectl cluster...
CVE-2022-23505
Passport-wsfed-saml2 is a ws-federation protocol and SAML2 tokens authentication provider for Passport. In versions prior to 4.6.3, a remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession...
CVE-2022-39299
Passport-SAML is a SAML 2.0 authentication provider for Passport, the Node.js authentication library. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML elemen...
Dotnetnuke 6.0.x < 9.11.0 Multiple Vulnerabilities (09.11.00)
According to its self-reported version, the instance of Dotnetnuke running on the remote web server is 6.0.x prior to 9.11.0. It is, therefore, affected by multiple vulnerabilities. - A third-party dependency, Moment.js, published security updates to their library. Fixes for the Issue DNN Platfor...
CVE-2022-37146
The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider ta...
CVE-2022-37145
The PlexTrac platform prior to version 1.17.0 does not restrict excessive authentication attempts for accounts configured to use the PlexTrac authentication provider. An unauthenticated remote attacker could perform a bruteforce attack on the login page with no time or attempt limitation in an...
CVE-2022-37146
The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider ta...
Authentication flaw
The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider ta...
CVE-2022-37146
The PlexTrac platform prior to version 1.28.0 allows for username enumeration via HTTP response times on invalid login attempts for users configured to use the PlexTrac authentication provider. Login attempts for valid, unlocked users configured to use PlexTrac as their authentication provider ta...