11 matches found
PT-2026-44138
Description OidcTokenHandler is Symfony's built-in access-token handler for OpenID Connect: it validates a bearer JWT and returns the authenticated user identity. It delegates claim validation to the web-token/jwt-checker library's ClaimCheckerManager. OidcTokenHandler::verifyClaims registers...
CVE-2026-24899 Fleet Windows MDM Azure AD JWT Authentication Bypass
Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. Because Fleet validates JWT signatures using Microsoft's multi-tenant JWKS endpoint but does not...
GHSA-C3F3-CC42-XR9V Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm
Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...
EUVD-2024-3440
Malicious code in bioql PyPI...
SUSE CVE-2024-53861
pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for iss checking, resulting in "acb" being accepted for "abc". This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstanceissuer, list to isinstanceissuer, Sequence. Since st...
CVE-2024-53861 Issuer field partial matches allowed in pyjwt
pyjwt is a JSON Web Token implementation in Python. An incorrect string comparison is run for iss checking, resulting in "acb" being accepted for "abc". This is a bug introduced in version 2.10.0: checking the "iss" claim changed from isinstanceissuer, list to isinstanceissuer, Sequence. Since st...
pyjwt 安全漏洞
pyjwt is a Python library by the individual developer José Padilla in the United States. It allows encoding and decoding of JSON Web Tokens JWT. A security vulnerability exists in pyjwt version 2.10.0, which stems from an incorrect string comparison being run against the iss check, resulting in a...
CVE-2024-5037
A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue "iss" check during JSON web token JWT authentication...
PT-2024-4052 · Red Hat · Openshift Telemeter
Name of the Vulnerable Software and Affected Versions: OpenShift Telemeter affected versions not specified Description: The issue is related to a flaw in OpenShift's Telemeter that allows an attacker to bypass authentication using a forged token. This can be done by exploiting the "iss" check...
libreoffice: Execution of Untrusted Macros Due to Improper Certificate Validation
An Improper Certificate Validation vulnerability was found in LibreOffice, where determining if a trusted author signed a macro was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro...
UBUNTU-CVE-2022-26305
An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the...