Moderate: python-jwcrypto security update

The python-jwcrypto package provides Python implementations of the JSON Web Key JWK, JSON Web Signature JWS, JSON Web Encryption JWE, and JSON Web Token JWT JOSE JSON Object Signing and Encryption standards. Security Fixes: JWCrypto: denail of service Via specifically crafted JWE CVE-2023-6681 Fo...

EAP: wildfly-elytron has a SSRF security issue

A flaw was found in JwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery SSRF vulnerabili...

Moderate: python-jwcrypto security update

The python-jwcrypto package provides Python implementations of the JSON Web Key JWK, JSON Web Signature JWS, JSON Web Encryption JWE, and JSON Web Token JWT JOSE JSON Object Signing and Encryption standards. Security Fixes: python-jwcrypto: malicious JWE token can cause denial of service...

PT-2024-23852 · Oidcc · Oidcc

Name of the Vulnerable Software and Affected Versions: oidcc versions prior to 3.0.2 oidcc versions prior to 3.1.2 oidcc versions prior to 3.2.0-beta.3 Description: A Denial of Service DoS by Atom exhaustion is possible by calling oidcc provider configuration worker:get provider configuration/1 o...

OESA-2024-1195 python-jwcrypto security update

Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service DoS attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can resul...

OESA-2024-1197 python-jwcrypto security update

Implements JWK, JWS, JWE specifications with python-cryptography Security Fixes: A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service DoS attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can resul...

Cisco node-jose improper validation of JWT signature

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature JWS standard for JSON Web Tokens JWTs...

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

Verify JWT With JSON Web Key Set (JWKS) in API Gateway

JSON Web Tokens JWT use digital signatures to establish the authenticity of the data they contain, as well as authenticating the identity of the signer. A valid signature check ensures that any party can rely on the contents and the signatory of the JWT. This is typically accomplished by using an...

CVE-2018-0114

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature JWS standard for JSON Web Tokens JWTs...

Code injection

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature JWS standard for JSON Web Tokens JWTs...

CVE-2018-0114

A vulnerability in the Cisco node-jose open source library before 0.11.0 could allow an unauthenticated, remote attacker to re-sign tokens using a key that is embedded within the token. The vulnerability is due to node-jose following the JSON Web Signature JWS standard for JSON Web Tokens JWTs...