129 matches found
SUSE CVE-2023-32189
Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys...
Design/Logic Flaw
A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key...
PT-2024-2594 · Elastic · Elasticsearch
Name of the Vulnerable Software and Affected Versions: Elasticsearch versions 8.10.0 through 8.12.x Description: The issue is related to an Incorrect Authorization problem in the API key based security model for Remote Cluster Security, which is currently in Beta. This allows a malicious user wit...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling by processing JSON Web Encryption JWE tokens with a high compression ratio. An attacker can cause excessive memory allocation and processing time during decompression, leading to a...
Design/Logic Flaw
light-oauth2 before version 2.1.27 obtains the public key without any verification. This could allow attackers to authenticate to the application with a crafted JWT token...
HashiCorp Vault Security Breach
HashiCorp Vault is a private key access management tool from the US-based HashiCorp. A security vulnerability exists in HashiCorp Vault that stems from the presence of a denial of service vulnerability...
CVE-2023-28481
An issue was discovered in Tigergraph Enterprise 3.7.0. There is unsecured write access to SSH authorized keys file. Any code running as the tigergraph user is able to add their SSH public key into the authorised keys file. This allows an attacker to obtain password-less SSH key access by using...
CVE-2023-30993
IBM Cloud Pak for Security CP4S 1.9.0.0 through 1.9.2.0 could allow an attacker with a valid API key for one tenant to access data from another tenant's account. IBM X-Force ID: 254136...
PT-2023-23102 · Ibm · Ibm Cloud Pak For Security
Name of the Vulnerable Software and Affected Versions: IBM Cloud Pak for Security CP4S versions 1.9.0.0 through 1.9.2.0 Description: The issue allows an attacker with a valid API key for one tenant to access data from another tenant's account. Recommendations: For versions 1.9.0.0 through 1.9.2.0...
CVE-2023-33842
IBM SPSS Modeler on Windows 17.0, 18.0, 18.2.2, 18.3, 18.4, and 18.5 requires the end user to have access to the server SSL key which could allow a local user to decrypt and obtain sensitive information. IBM X-Force ID: 256117...
Vulnerabilities fixed in Dell EMC Powerpath
Dell has fixed vulnerabilities in Powerpath. A local malicious person could exploit the vulnerabilities to grant themselves elevated privileges and execute code with SYSTEM privileges, or to gain access to the license key and thereby perform unauthorized new installations. Dell has released updat...
CVE-2023-1939 No access control for the OTP key on OTP entries
No access control for the OTP key on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface...
PT-2023-17355 · Devolutions · Devolutions Remote Desktop Manager
Name of the Vulnerable Software and Affected Versions: Devolutions Remote Desktop Manager Windows versions 2022.3.33.0 and prior Devolutions Remote Desktop Manager Linux versions 2022.3.2.0 and prior Description: The issue is related to a lack of access control for the OTP key on OTP entries in...
CVE-2023-28640 Permissions bypass in Apiman could enable authenticated attacker to unpermitted API Key
Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client...
K65271605: NTP vulnerability CVE-2016-1549
Security Advisory Description A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and...
SUSE CVE-2019-9498
The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication,...
Design/Logic Flaw
An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords...
CVE-2022-45424
Some Dahua software products have a vulnerability of unauthenticated request of AES crypto key. An attacker can obtain the AES crypto key by sending a specific crafted packet to the vulnerable interface...
Tesla Model 3 安全漏洞
The Tesla Model 3 is an electric car from the American company Tesla. Tesla Model 3 V11.0 2022.4.5.1 6b701552d7a6 A security vulnerability exists in the Tesla mobile app version v4.23, which stems from the vulnerability of the Tesla Model 3's phone key authentication to a man-in-the-middle attack...
RubyGems 授权问题漏洞
RubyGems is a Ruby package manager from the RubyGems organization. The product is primarily used to distribute and manage Ruby packages. RubyGems suffers from a security vulnerability that stems from an error in the password and email change confirmation code that allows an attacker to change the...