Authentication Bypass

keylime is vulnerable to Authentication Bypass. The vulnerability is due to insufficient validation during agent registration, where a malicious actor can register a new agent with a different TPM while reusing an existing agent’s UUID, allowing the attacker to overwrite the legitimate agent...

Soteria: security identity corruption across concurrent threads

A flaw was found in WildFly where multiple requests occurring concurrently could be handled using the identity of another request. This vulnerability occurs when using EE Security with WildFly Elytron. The largest threat from this vulnerability is data confidentiality and integrity...

wildfly: wrong SecurityIdentity for EE concurrency threads that are reused

It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem stores a SecurityIdentity to run the thread with that security identity. As these threads do not necessarily terminate if the 'keep alive' time has not expired, this could allow a shared thread to use the wrong securit...

TLS session resumption client cert bypass

libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate or no...