Lucene search
+L

108 matches found

NVD
NVD
added 2026/07/07 10:16 p.m.7 views

CVE-2026-45796

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...

6.5CVSS0.00335EPSS
Exploits0References9
NVD
NVD
added 2026/07/07 10:16 p.m.6 views

CVE-2026-46354

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...

9.1CVSS0.0026EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/07 9:10 p.m.25 views

CVE-2026-46354 Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft

Coder allows organizations to provision remote development environments via Terraform. In versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3, azureidentity.Validate verifies that the PKCS7 signer certificate chains to a trusted Azure CA but never verifies the PKCS7 signature...

9.1CVSS0.0026EPSS
Exploits0References8
CVE
CVE
added 2026/07/07 9:10 p.m.42 views

CVE-2026-46354

Summary: A PKCS#7 signature bypass in Coder (Coder v2 before patches) allows unauthenticated token theft via Azure instance identity. The issue stems from azureidentity.Validate() validating only the signer certificate chain, not the signature itself, enabling forged PKCS#7 envelopes containing a...

9.1CVSS6.1AI score0.0026EPSS
Exploits0References8Affected Software1
Cvelist
Cvelist
added 2026/07/07 9:3 p.m.23 views

CVE-2026-45796 Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...

6.5CVSS0.00335EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/07/07 9:3 p.m.7 views

CVE-2026-45796

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...

6.5CVSS6.1AI score0.00335EPSS
Exploits0References10Affected Software1
OSV
OSV
added 2026/07/07 9:3 p.m.6 views

CVE-2026-45796 Coder vulnerable to unauthenticated SSRF via Azure Instance Identity Endpoint

Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...

6.5CVSS6.1AI score0.00335EPSS
Exploits0References11
OSV
OSV
added 2026/07/07 2:34 p.m.4 views

PYSEC-2026-1209 Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability...

6.8CVSS5.9AI score0.00788EPSS
Exploits0References10
Snyk
Snyk
added 2026/06/25 6:43 p.m.5 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation There is...

9.3CVSS5.8AI score0.0026EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 6:43 p.m.4 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation Upgrade...

9.3CVSS5.8AI score0.0026EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 6:43 p.m.5 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation Upgrade...

9.3CVSS5.8AI score0.0026EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 6:43 p.m.5 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the PKCS7 signature verification process for Azure instance identity. An attacker can obtain agent tokens without authentication by bypassing signature validation. Remediation There is...

9.3CVSS5.8AI score0.0026EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 6:26 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...

6.9CVSS5.8AI score0.00335EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 6:26 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...

6.9CVSS5.8AI score0.00335EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/25 6:26 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Azure Instance Identity Endpoint process. An attacker can access internal resources or sensitive information by sending crafted requests to the affected endpoint without authentication. Remediati...

6.9CVSS5.8AI score0.00335EPSS
Exploits0References3
OSV
OSV
added 2026/06/25 6:26 p.m.3 views

GO-2026-5169 Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder

Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint in github.com/coder/coder...

6.5CVSS5.8AI score0.00335EPSS
Exploits0References9
OSV
OSV
added 2026/06/25 4:7 p.m.5 views

CVE-2026-55412 ToolJet Cloud - SSRF to Azure Cloud Infrastructure Compromise

ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only...

8.3CVSS6AI score0.00193EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/10 12:0 a.m.8 views

openSUSE 15: azure-cli / azure-cli-core / azure-cli-telemetry / python311-anyio / etc (SUSE-SU-SUSE-RU-2026:2237-2)

"The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-SUSE-RU-2026:2237-2 advisory. Changes in azure-cli-core: - Drop CVE-2025-24049 patch, fixed upstream - New upstream release - Version 2.82.0 - For detailed information...

8.4CVSS6.7AI score0.00788EPSS
Exploits0References14
NVD
NVD
added 2026/05/22 11:16 p.m.19 views

CVE-2026-35430

Authorization bypass through user-controlled key in Azure Privileged Identity Management PIM allows an authorized attacker to elevate privileges over a network...

8.8CVSS0.00426EPSS
Exploits0References1
OSV
OSV
added 2026/05/19 7:53 p.m.4 views

GHSA-686C-7VGV-V3FX Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint

Summary Unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST /api/v2/workspaceagents/azure-instance-identity. An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submitting a...

6.5CVSS6.1AI score0.00335EPSS
Exploits0References10
Rows per page
Query Builder