3 matches found
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
CVE-2026-40948
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
CVE-2025-61729 vulnerabilities
Vulnerabilities for packages: nri-cassandra, mockery, nri-memcached, go-jsonnet, src, k8ssandra-operator, openbao-k8s, thanos, neuvector-dbgen, telegraf, mountpoint-s3-csi-driver, podman, kuberay-operator, kots, gobump, gostatsd, ip-masq-agent, kubernetes-csi-external-snapshotter,...