OIDC-Client 数据伪造问题漏洞

OIDC-Client is an IdentityModel open source library that provides OpenID Connect OIDC and OAuth2 protocol support for client-side, browser-based JavaScript client applications. OIDC-Client suffers from a data forgery issue vulnerability that stems from an authorization code injection attack that...

Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...

PT-2024-37678 · Red Hat · Openshift Console

Name of the Vulnerable Software and Affected Versions: Openshift Console affected versions not specified Description: An insufficient entropy vulnerability was found in the Openshift Console, affecting the authorization code type and implicit grant type of the OAuth2 protocol. This vulnerability...

Red Hat OpenShift 安全特征问题漏洞

Red Hat OpenShift is a Platform-as-a-Service PaaS cloud computing platform from Red Hat, Inc. that supports building, testing, deploying, and running applications. A security vulnerability exists in Red Hat OpenShift that stems from the OAuth2 protocol being vulnerable to cross-site request forge...

CVE-2024-42476

CVE-2024-42476 affects the Nim OAuth library prior to v0.11. The Authorization Code and Implicit flows rely on the state parameter to prevent CSRF, but when compiled with certain flags the state check can be bypassed. Version 0.11 fixes this by using a proper state validation (regular if or doAss...

CVE-2024-42476 oauth CSRF vulnerability

In the OAuth library for nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the state parameter to prevent cross-site request forgery CSRF attacks where a resource owner might have their session associated with protected resources belonging to an attacker. Whe...

CVE-2024-42476 oauth CSRF vulnerability

In the OAuth library for nim prior to version 0.11, the Authorization Code grant and Implicit grant both rely on the state parameter to prevent cross-site request forgery CSRF attacks where a resource owner might have their session associated with protected resources belonging to an attacker. Whe...

CGA-WQHG-2WFV-8VVJ

Bulletin has no description...

CVE-2024-41829

In JetBrains TeamCity before 2024.07 an OAuth code for JetBrains Space could be stolen via Space Application connection...

PT-2024-5490 · Jetbrains · Jetbrains Teamcity +1

Name of the Vulnerable Software and Affected Versions: JetBrains TeamCity versions prior to 2024.07 Description: The issue is related to a configuration vulnerability in the JetBrains Space module Project Settings | Connections of the CI/CD system JetBrains TeamCity, which is connected to...

CGA-PGRH-PV8W-CJ8F

Bulletin has no description...

CGA-RXPC-574C-J7QR

Bulletin has no description...

CGA-M4G5-X99X-9W2M

Bulletin has no description...

CGA-FP2F-QGGV-8C3M

Bulletin has no description...

CGA-CCCJ-2882-734J

Bulletin has no description...

CGA-CJW9-FM8G-R5GX

Bulletin has no description...

GitLab 12.3 < 12.9.8 / 12.10 < 12.10.7 / 13.0 < 13.0.1 (CVE-2020-13272)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - OAuth flow missing verification checks CE/EE 12.3 and later through 13.0.1 allows unverified user to use OAuth authorization code flow CVE-2020-13272 Note that Nessus has not tested for this issue but...

PKCE Downgrade Attack

spring-security-oauth2-authorization-server is vulnerable to PKCE Downgrade. The vulnerability is due to improper handling of PKCE authorization when a Confidential Client requests an Authorization Code Grant. Note that this vulnerability only applies to Confidential Clients, Public Clients are...

GHSA-X637-X8P3-5P22 Improper Authentication in Spring Authorization Server

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...

CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An...