105 matches found
CVE-2026-32727
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...
Improper Authorization
Overview scitokens is a SciToken reference implementation library Affected versions of this package are vulnerable to Improper Authorization via the validatescp and validatescope functions. An attacker can gain unauthorized access to sibling paths by crafting tokens with scope paths that share a...
CVE-2026-32727 SciTokens: Authorization Bypass via Path Traversal in Scope Validation
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...
CVE-2026-32727 SciTokens: Authorization Bypass via Path Traversal in Scope Validation
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...
CVE-2026-32727
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...
CVE-2026-32716
Summary: SciTokens Enforcer prior to 1.9.6 validates scope paths with a simple prefix match, allowing a token for a path like /john to access sibling paths (/johnathan, /johnny), causing an Authorization Bypass. Affecting: SciTokens library (pre-1.9.6). Root cause: incorrect scope path validation...
CVE-2026-32716 SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking
SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match startswith. This allows a token with access to a specific path e.g., /john to also access sibling paths that start with the sa...
PT-2026-29185
Name of the Vulnerable Software and Affected Versions SciTokens versions prior to 1.9.7 Description SciTokens is a library for generating and using SciTokens. The Enforcer component is susceptible to a path traversal issue. An attacker can exploit this by including 'dot-dot' .. sequences within t...
scitokens 授权问题漏洞
Scitokens is an open-source science computing token library developed by SciTokens. Versions of SciTokens prior to 1.9.6 contained a vulnerability related to authorization. This vulnerability stemmed from Enforcer using a simple prefix-based matching method for verifying path ranges, which could...
Fedora 44 : python-scitokens (2026-86ad7d8a1a)
The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-86ad7d8a1a advisory. - Remove legacy parent SciToken chaining behavior from token initialization and claim handling - Harden Enforcer scope path traversal validation including...
Fedora 43 : python-scitokens (2026-727b73bfa0)
The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-727b73bfa0 advisory. - Remove legacy parent SciToken chaining behavior from token initialization and claim handling - Harden Enforcer scope path traversal validation including...
No More, No Less: Least-Privilege Language Models
Least privilege is a core security principle: grant each request only the minimum access needed to achieve its goal. Deployed language models almost never follow it, instead being exposed through a single API endpoint that serves all users and requests. This gap exists not because least privilege...
OS Command Injection
github.com/neuvector/neuvector is vulnerable to OS Command Injection. The vulnerability is due to unsanitized use of the environment variables CLUSTERRPCPORT and CLUSTERLANPORT in shell commands executed via popen, which allows an attacker to inject and execute arbitrary commands within the...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...