Lucene search
K

105 matches found

NVD
NVD
added 2026/03/31 3:15 a.m.6 views

CVE-2026-32727

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...

8.1CVSS0.00516EPSS
Exploits1References4
Snyk
Snyk
added 2026/03/31 3:10 a.m.3 views

Improper Authorization

Overview scitokens is a SciToken reference implementation library Affected versions of this package are vulnerable to Improper Authorization via the validatescp and validatescope functions. An attacker can gain unauthorized access to sibling paths by crafting tokens with scope paths that share a...

8.6CVSS5.9AI score0.00389EPSS
Exploits1References2
OSV
OSV
added 2026/03/31 1:31 a.m.4 views

CVE-2026-32727 SciTokens: Authorization Bypass via Path Traversal in Scope Validation

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...

8.1CVSS5.8AI score0.00516EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2026/03/31 1:31 a.m.1 views

CVE-2026-32727 SciTokens: Authorization Bypass via Path Traversal in Scope Validation

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...

8.1CVSS5.8AI score0.00516EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/03/31 1:31 a.m.1 views

CVE-2026-32727

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.7, the Enforcer is vulnerable to a path traversal attack where an attacker can use dot-dot .. in the scope claim of a token to escape the intended directory restriction. This occurs because the library...

8.1CVSS5.8AI score0.00516EPSS
Exploits1References5Affected Software1
CVE
CVE
added 2026/03/31 1:31 a.m.12 views

CVE-2026-32716

Summary: SciTokens Enforcer prior to 1.9.6 validates scope paths with a simple prefix match, allowing a token for a path like /john to access sibling paths (/johnathan, /johnny), causing an Authorization Bypass. Affecting: SciTokens library (pre-1.9.6). Root cause: incorrect scope path validation...

8.1CVSS5.8AI score0.00389EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/31 1:31 a.m.1 views

CVE-2026-32716 SciTokens: Authorization Bypass via Incorrect Scope Path Prefix Checking

SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match startswith. This allows a token with access to a specific path e.g., /john to also access sibling paths that start with the sa...

8.1CVSS5.8AI score0.00389EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.6 views

PT-2026-29185

Name of the Vulnerable Software and Affected Versions SciTokens versions prior to 1.9.7 Description SciTokens is a library for generating and using SciTokens. The Enforcer component is susceptible to a path traversal issue. An attacker can exploit this by including 'dot-dot' .. sequences within t...

9.8CVSS5.9AI score0.00516EPSS
Exploits3References16
CNNVD
CNNVD
added 2026/03/31 12:0 a.m.12 views

scitokens 授权问题漏洞

Scitokens is an open-source science computing token library developed by SciTokens. Versions of SciTokens prior to 1.9.6 contained a vulnerability related to authorization. This vulnerability stemmed from Enforcer using a simple prefix-based matching method for verifying path ranges, which could...

8.1CVSS5.8AI score0.00389EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/03/21 12:0 a.m.3 views

Fedora 44 : python-scitokens (2026-86ad7d8a1a)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-86ad7d8a1a advisory. - Remove legacy parent SciToken chaining behavior from token initialization and claim handling - Harden Enforcer scope path traversal validation including...

5.9AI score
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/03/21 12:0 a.m.6 views

Fedora 43 : python-scitokens (2026-727b73bfa0)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-727b73bfa0 advisory. - Remove legacy parent SciToken chaining behavior from token initialization and claim handling - Harden Enforcer scope path traversal validation including...

5.9AI score
Exploits0References1
Packet Storm News
Packet Storm News
added 2026/01/30 12:0 a.m.5 views

No More, No Less: Least-Privilege Language Models

Least privilege is a core security principle: grant each request only the minimum access needed to achieve its goal. Deployed language models almost never follow it, instead being exposed through a single API endpoint that serves all users and requests. This gap exists not because least privilege...

5.5AI score
Exploits0
Veracode
Veracode
added 2026/01/08 3:59 a.m.6 views

OS Command Injection

github.com/neuvector/neuvector is vulnerable to OS Command Injection. The vulnerability is due to unsanitized use of the environment variables CLUSTERRPCPORT and CLUSTERLANPORT in shell commands executed via popen, which allows an attacker to inject and execute arbitrary commands within the...

9.9CVSS7.8AI score0.0043EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2025/10/30 3:2 p.m.2 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...

9.9CVSS8.3AI score0.0043EPSS
Exploits0References3
Snyk
Snyk
added 2025/10/30 3:2 p.m.0 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...

9.9CVSS8.3AI score0.0043EPSS
Exploits0References3
Snyk
Snyk
added 2025/10/30 3:2 p.m.1 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...

9.9CVSS8.3AI score0.0043EPSS
Exploits0References3
Snyk
Snyk
added 2025/10/30 3:2 p.m.2 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...

9.9CVSS8.3AI score0.0043EPSS
Exploits0References3
Snyk
Snyk
added 2025/10/30 3:2 p.m.2 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...

9.9CVSS8.3AI score0.0043EPSS
Exploits0References3
Snyk
Snyk
added 2025/10/30 3:2 p.m.2 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...

9.9CVSS7.9AI score0.0043EPSS
Exploits0References3
Snyk
Snyk
added 2025/10/30 3:2 p.m.1 views

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection via the enforcer that uses environment variables without sanitation. An attacker can execute arbitrary commands or cause a buffer overflow by supplying crafted input to the affected component. Remediation Upgrade...

9.9CVSS8.3AI score0.0043EPSS
Exploits0References3
Rows per page
Query Builder