1536 matches found
cxf: OpenId Connect token service does not properly validate the clientId
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...
Malicious Google Web Extensions Harvest Cryptowallet Secrets
Large campaigns that are spreading malicious browser extensions are abusing Google Ads and well-known cryptocurrency brands to draw in victims. Extensions can be installed to add widgets or other functionality to web browsers; they offer the ability to do everything from setting a special search...
49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets
Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. The 49 browser add-ons, potentially the work of Russian threat actors, were identified fi...
49 New Google Chrome Extensions Caught Hijacking Cryptocurrency Wallets
Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. The 49 browser add-ons, potentially the work of Russian threat actors, were identified fi...
The vulnerability of the SAP NetWeaver software integration platform’s keystore service allows attackers to disclose protected information.
The vulnerability of the SAP NetWeaver software integration platform’s keystore service is related to authentication errors. Exploiting this vulnerability can allow a malicious actor to disclose protected information remotely...
Calling getpidcon for One Way Binder Transactions Returns Wrong Security Context
The servicemanager, keystore and drmserver all use getpidcon function to get the security context of the caller from a binder. When combined with a one way binder transaction this results in getting the security context of the current process which might allow a selinux mac bypass. Recent...
CVE-2019-12423
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...
Information Disclosure
An attacker is able to obtain the private keys from a JWK keystore file by setting the configuration parameter rs.security.keystore.type to jwk...
CVE-2019-12423
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...
Design/Logic Flaw
Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...
CVE-2019-12423
CVE-2019-12423 affects Apache CXF OpenId Connect JWK Keys service. When rs.security.keystore.type is set to “jwk”, the service may return all keys from the JWK file, potentially exposing private/secret key credentials if present, though newer CXF releases restrict to the key with the matching ali...
CVE-2019-9253
In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions:...
CVE-2019-9253
In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions:...
Information disclosure
In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions:...
CVE-2019-9253
In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions:...
CVE-2019-9253
CVE-2019-9253 affects Android 10 KeyStore: a missing strongbox flag allows symmetric keys to be stored in the TEE instead of the strongbox, enabling local information disclosure with System privileges required. No user interaction needed. Exploitation details are not provided in the supplied docu...
CVE-2019-2278
User keystore signature is ignored in boot and can lead to bypass boot image signature verification in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile in MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660...
Design/Logic Flaw
User keystore signature is ignored in boot and can lead to bypass boot image signature verification in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile in MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660...
CVE-2019-2278
CVE-2019-2278 affects Qualcomm components on Snapdragon platforms (Auto, Consumer IoT, Mobile) where the keystore signature is ignored during boot, enabling a bypass of boot image signature verification. Affected devices include SDM660, SD 712/710/670, SD 845/850, SD 625/636/427/425/430/435/450 a...
CVE-2019-2278
User keystore signature is ignored in boot and can lead to bypass boot image signature verification in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile in MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660...