Lucene search
K

186 matches found

OSV
OSV
added 2025/02/26 6:35 p.m.4 views

DRUPAL-CONTRIB-2025-020

Provides OAuth2 server functionality based on the oauth2-server-php library. The module does not consistently enforce admin configurations allowing users on a disabled server to still authenticate...

9.8CVSS6.8AI score0.00401EPSS
Exploits0References1
Spring Security Advisories
Spring Security Advisories
added 2025/02/25 12:0 a.m.10 views

This Week in Spring - February 25th, 2025

Hi, Spring fans, and welcome to another rip-roarin' installment of This Week in Spring! Later today I'll board a plane for magnificent Montreal, Canada for the amazing Confoo conference! I'm super excited! Good news everybody! Spring Boot 3.5.0-M2 is now available! In last week's installment of t...

7.2AI score
Exploits0
IBM Security Bulletins
IBM Security Bulletins
added 2025/02/03 11:4 p.m.60 views

Security Bulletin: IBM Cloud Pak for Network Automation 2.7.5 addresses multiple security vulnerabilities.

Summary IBM Cloud Pak for Network Automation 2.7.5 addresses multiple security vulnerabilities. Vulnerability Details CVEID:CVE-2024-32879 DESCRIPTION: Python Social Auth Django could allow a remote authenticated attacker to bypass security restrictions, caused by improper handling of case...

8.2CVSS9.2AI score0.8496EPSS
Exploits3Affected Software1
Spring Security Advisories
Spring Security Advisories
added 2024/11/26 12:0 a.m.10 views

This Week in Spring - November 26th, 2024

This Week in Spring - November 26th, 2024 Hi, Spring fans! Welcome to another installment of This Week in Spring! Happy Spring Boot 3.4 release month to those who celebrate! And, also, Happy Thanksgiving to those who celebrate! Spring Boot 3.4 brings with it long-anticipated updates to the entire...

7.1AI score
Exploits0
Spring Security Advisories
Spring Security Advisories
added 2024/10/29 12:0 a.m.15 views

This Week in Spring - October 29th, 2024

Hi, Spring fans! How're things? It's almost Halloween! I'm so excited! I'm going as a PHP program. Boooooooo...t. I'm writing this from the amazing Vaadin Create conference in Frankfurt, Germany, about to do my keynote for an amazing, Spring-loving audience here. So, without further ado, let's di...

7.1AI score
Exploits0
Spring Security Advisories
Spring Security Advisories
added 2024/10/28 12:0 a.m.33 views

RestClient Support for OAuth2 in Spring Security 6.4

In Spring Security 6.2 and 6.3, we have worked to steadily improve configuration for applications using OAuth2 Client. Configuration for common use cases has been simplified by allowing applications to publish beans which are automatically included in the overall OAuth2 Client configuration durin...

6.7AI score
Exploits0
vulnersOsv
vulnersOsv
added 2024/10/18 6:30 a.m.17 views

ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +37176 more potentially affected by CVE-2024-38820 via org.springframework:spring-web (>=1.2.1 <=5.3.4)

org.springframework:spring-web MAVEN version =1.2.1, =1.1, =0.0.1, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0 and more Source cves: CVE-2024-38820 Source advisory: OSV:GHSA-4GC7-5J7H-4QPH...

5.3CVSS6.6AI score0.00631EPSS
Exploits1
Spring Security Advisories
Spring Security Advisories
added 2024/06/25 12:0 a.m.35 views

This Week in Spring - June 25th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! As I write this I'm in beautiful Amsterdam, having visited with customers and spoken at a local Java User Group. Now I'm off to lovely London, UK. Last week I was in Krakow, Poland, for the amazing Devoxx PL event, and in Par...

7.1AI score
Exploits0
Github Security Blog
Github Security Blog
added 2024/06/10 6:36 p.m.35 views

Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests PAR. Client provided parameters were found to be included in plain text in the KCRESTART cookie returned by the authorization server's HTTP response to a requesturi authorization request. This could lead to an information...

7.5CVSS6.6AI score0.00551EPSS
Exploits0References15Affected Software1
Veracode
Veracode
added 2024/06/06 6:38 a.m.17 views

Sensitive Information Disclosure

keycloak-services is vulnerable to Sensitive Information Disclosure. The vulnerability is due to client-provided parameters included in plain text within the KCRESTART cookie returned by the authorization server's HTTP response to a requesturi authorization request...

7.5CVSS6.5AI score0.00551EPSS
Exploits0References12Affected Software1
Spring Security Advisories
Spring Security Advisories
added 2024/04/24 12:0 a.m.11 views

This Week in Spring - Tuesday, April 23rd, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! We've had a really busy, wonderful week, as always, so let's dive right into it! We want you! ...to submit a talk to SpringOne 2024, in sunny Las Vegas! Hurry, the CFP closes May 3rd! Spring Shell 3.1.11, 3.2.4, and 3.3.0-m1...

7.1AI score
Exploits0
vulnersOsv
vulnersOsv
added 2024/03/20 3:32 p.m.7 views

cn.com.tltim.pigx:pigx-common-security (=5.0.0-20240820), cn.com.tltim.pigx:pigx-common-websocket (=5.0.0-20240820) +46 more potentially affected by CVE-2024-22258 via org.springframework.security:spring-security-oauth2-authorization-server (>=0.2.0 <=1.1.5)

org.springframework.security:spring-security-oauth2-authorization-server MAVEN version =0.2.0, =0.0.1-alpha.1, =3.1.5.2, =2.7.7.3, =2.7.7.4, =2.7.0.0, =2.7.0.0, =2.7.1.2, =2.7.0.0, =3.0.6.4, =2023.0.0.2-alpha.1, =2023.0.0.2-alpha.2 - com.github.paganini2008.doodler:doodler-common-oauth =1.0.0-bet...

6.1CVSS6.3AI score0.00522EPSS
Exploits0
OSV
OSV
added 2024/03/20 3:32 p.m.3 views

GHSA-X637-X8P3-5P22 Improper Authentication in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS5.9AI score0.00522EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/03/20 3:32 p.m.32 views

Improper Authentication in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS7.2AI score0.00522EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2024/03/20 4:15 a.m.32 views

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.3AI score0.00522EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2024/03/20 4:15 a.m.30 views

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.4AI score0.00522EPSS
Exploits0References2
OSV
OSV
added 2024/03/20 4:15 a.m.4 views

UBUNTU-CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS5.8AI score0.00522EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/03/20 3:58 a.m.20 views

CVE-2024-22258 CVE-2024-22258: PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.9AI score0.00522EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/03/20 3:58 a.m.36 views

CVE-2024-22258 CVE-2024-22258: PKCE Downgrade in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

6.1CVSS6.5AI score0.00522EPSS
Exploits0References1
CVE
CVE
added 2024/03/20 3:58 a.m.75 views

CVE-2024-22258

CVE-2024-22258 affects Spring Authorization Server versions 1.0.0–1.0.5, 1.1.0–1.1.5, and 1.2.0–1.2.2 (and older unsupported) where confidential clients using PKCE with the Authorization Code Grant can be downgraded, potentially bypassing security restrictions. Public Clients using PKCE are not v...

6.1CVSS6.3AI score0.00522EPSS
Exploits0References1
Rows per page
Query Builder