Owl Labs Meeting Owl 授权问题漏洞

Owl Labs Meeting Owl is a video conferencing device from Owl Labs, Inc. Equipped with an array of cameras and microphones, it captures 360-degree video and audio and automatically focuses on the speaker, making meetings more dynamic and inclusive.Owl Labs Meeting Owl version 5.2.0.15 is vulnerabl...

User Impersonation

Overview std/crypto/tls is a Go standard library package std/crypto/tls Affected versions of this package are vulnerable to User Impersonation. Go Vulnerability Report: in the crypto/tls process when SessionTicketsDisabled is enabled. An attacker can impersonate clients by spoofing client...

GO-2021-0154 Man-in-the-middle attack with SessionTicketsDisabled in crypto/tls

When SessionTicketsDisabled is enabled, crypto/tls allowed man-in-the-middle attackers to spoof clients via unspecified vectors. If the server enables TLS client authentication using certificates this is rare and explicitly sets SessionTicketsDisabled to true in the tls.Config, then a malicious...

Smack allows the bypass of TLS protections

Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response...

cockpit: authenticates with revoked certificates

A flaw was found in Cockpit in the way it handles the certificate verification performed by the System Security Services Daemon SSSD. This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List CRL configuration or the certificate status. The...

wolfSSL 信任管理问题漏洞

Wolfssl CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from Wolfssl, Inc. in the United States. A security vulnerability exists in wolfSSL versions prior to 5.2.0, which stems from an application attempting to authenticate a TLS 1.3 client to a...

PT-2022-15012 · Envoy · Envoy

Name of the Vulnerable Software and Affected Versions: Envoy affected versions not specified Description: The issue concerns Envoy, an open source edge and service proxy designed for cloud-native applications. In affected versions, Envoy does not restrict the set of certificates it accepts from t...

Mageia: Security Advisory (MGASA-2016-0207)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security update for barrier (moderate)

openSUSE Security Update: Security update for barrier Announcement ID: openSUSE-SU-2021:1595-1 Rating: moderate References: Cross-References: CVE-2021-42072 CVE-2021-42073 Affected Products: openSUSE Backports SLE-15-SP3 An update that fixes two vulnerabilities is now available. Description: This...

Authentication flaw

Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defin...

CVE-2021-41090 Instance config inline secret exposure

Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext over two endpoints: metrics instance configs defin...

The vulnerability of component tftpserver.c in the client authentication library libssh, related to pointer dereferencing errors, allows a perpetrator to cause a service failure.

The vulnerability of the tftpserver.c component in the client authentication library libssh is related to pointer dereferencing errors. Exploiting this vulnerability could allow a malicious actor to cause service failures remotely...

OpenSSL Multiple Vulnerabilities (20150108 - 2) - Windows

OpenSSL is prone to multiple vulnerabilities. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

OpenSSL Multiple Vulnerabilities (20150108 - 2) - Linux

OpenSSL is prone to multiple vulnerabilities. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Authentication Bypass in hydra

Impact When using client authentication method "privatekeyjwt" 1, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated betwe...

Insecure Session Management

github.com/ory/fosite uses insecure session management. The vulnerability exists as it fails to validate the uniqueness of this jti value in privatekeyjwt client authentication method, allowing an attacker to send the same token request twice with the same jti assertion to get two access tokens...

GHSA-V3Q9-2P3M-7G43 Token reuse in Ory fosite

Impact When using client authentication method "privatekeyjwt" 1https://openid.net/specs/openid-connect-core-10.htmlClientAuthentication, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens...

Token reuse in Ory fosite

Impact When using client authentication method "privatekeyjwt" 1https://openid.net/specs/openid-connect-core-10.htmlClientAuthentication, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens...

ABB Symphony Plus Operations Access Control Error Vulnerability

ABB Symphony Plus Operations is a management device from ABB Switzerland for improving operational efficiency in industrial environments. The appliance provides an easy-to-use human-machine interface that seamlessly integrates all plant equipment and subsystems using industry-standard protocols a...

GaussDB Kernel: Setting the Timeout Period of Client Authentication

authenticationtimeout specifies the maximum time for client authentication. The default value is 1 min. This parameter prevents faulty clients from occupying the connection channel for a long time. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a reference...