534 matches found
OpenSSL Multiple Vulnerabilities (20150108 - 2) - Windows
OpenSSL is prone to multiple vulnerabilities. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
OpenSSL Multiple Vulnerabilities (20150108 - 2) - Linux
OpenSSL is prone to multiple vulnerabilities. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...
Authentication Bypass in hydra
Impact When using client authentication method "privatekeyjwt" 1, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated betwe...
Insecure Session Management
github.com/ory/fosite uses insecure session management. The vulnerability exists as it fails to validate the uniqueness of this jti value in privatekeyjwt client authentication method, allowing an attacker to send the same token request twice with the same jti assertion to get two access tokens...
GHSA-V3Q9-2P3M-7G43 Token reuse in Ory fosite
Impact When using client authentication method "privatekeyjwt" 1https://openid.net/specs/openid-connect-core-10.htmlClientAuthentication, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens...
Token reuse in Ory fosite
Impact When using client authentication method "privatekeyjwt" 1https://openid.net/specs/openid-connect-core-10.htmlClientAuthentication, OpenId specification says the following about assertion jti: A unique identifier for the token, which can be used to prevent reuse of the token. These tokens...
ABB Symphony Plus Operations Access Control Error Vulnerability
ABB Symphony Plus Operations is a management device from ABB Switzerland for improving operational efficiency in industrial environments. The appliance provides an easy-to-use human-machine interface that seamlessly integrates all plant equipment and subsystems using industry-standard protocols a...
GaussDB Kernel: Setting the Timeout Period of Client Authentication
authenticationtimeout specifies the maximum time for client authentication. The default value is 1 min. This parameter prevents faulty clients from occupying the connection channel for a long time. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a reference...
Red Hat Ceph Security Vulnerability
Red Hat Ceph is a Linux petabyte-level distributed file system from Red Hat. The main goal of the system is to be designed as a distributed file system without a single point of failure based on POSIX Portable Operating System Interface, enabling fault-tolerant and seamless replication of data. A...
openGauss: Setting the Timeout Period of Client Authentication
authenticationtimeout specifies the maximum time for client authentication. The default value is 1 min. This parameter prevents faulty clients from occupying the connection channel for a long time. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenc...
CVE-2020-5936
On BIG-IP LTM 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.1, the Traffic Management Microkernel TMM process may consume excessive resources when processing SSL traffic and client authentication are enabled on the client SSL profile...
CVE-2020-5936
On BIG-IP LTM 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.1, the Traffic Management Microkernel TMM process may consume excessive resources when processing SSL traffic and client authentication are enabled on the client SSL profile...
F5 Networks BIG-IP : BIG-IP Client SSL Security Advisory (K44020030)
The Traffic Management Microkernel TMM process may consume excessive resources when processing SSL traffic and client authentication are enabled on the client SSL profile. Impact TMM memory may eventually become exhausted and may result in the system producing a core file. The BIG-IP system may...
CVE-2020-15222
In ORY Fosite the security first OAuth2 & OpenID Connect framework for Go before version 0.31.0, when using "privatekeyjwt" authentication the uniqueness of the jti value is not checked. When using client authentication method "privatekeyjwt", OpenId specification says the following about asserti...
Taking Transport Layer Security (TLS) to the next level with TLS 1.3
Transport Layer Security TLS 1.3 is now enabled by default on Windows 10 Insider Preview builds, starting with Build 20170, the first step in a broader rollout to Windows 10 systems. TLS 1.3 is the latest version of the internet’s most deployed security protocol, which encrypts data to provide a...
Caddy Authorization Issues Vulnerability
Caddy is an open source , cross-platform HTTP/Web server . A security vulnerability exists in Caddy versions prior to 0.10.13 that stems from the program not properly handling TLS client authentication. An attacker can exploit the vulnerability to bypass authentication...
CVE-2018-21246
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode...
PT-2020-8890 · Caddy · Caddy
Name of the Vulnerable Software and Affected Versions: Caddy versions prior to 0.10.13 Description: The issue is related to the mishandling of TLS client authentication. This is caused by the lack of the StrictHostMatching mode, allowing an attacker to bypass TLS client authentication. An attacke...
Replay Attack
github.com/ory/hydra is vulnerable to replay attack. During the client authentication using the method privatekeyjwt, Hydra does not check the uniqueness of jti token a unique identifier for the token to prevent the reuse of the token more than one time unless there are conditions for reuse betwe...
CVE-2020-5300
In Hydra an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go, before version 1.4.0+oryOS.17, when using client authentication method 'privatekeyjwt' 1, OpenId specification says the following about assertion jti: "A unique identifier for the token, which can be used to...