Design/Logic Flaw

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

CVE-2019-12423

CVE-2019-12423 affects Apache CXF OpenId Connect JWK Keys service. When rs.security.keystore.type is set to “jwk”, the service may return all keys from the JWK file, potentially exposing private/secret key credentials if present, though newer CXF releases restrict to the key with the matching ali...

CVE-2019-9253

In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions:...

CVE-2019-9253

In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions:...

Information disclosure

In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions:...

CVE-2019-9253

CVE-2019-9253 affects Android 10 KeyStore: a missing strongbox flag allows symmetric keys to be stored in the TEE instead of the strongbox, enabling local information disclosure with System privileges required. No user interaction needed. Exploitation details are not provided in the supplied docu...

CVE-2019-9253

In KeyStore, there is a possible storage of symmetric keys in the TEE instead of the strongbox due to a missing strongbox flag. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions:...

CVE-2019-2278

User keystore signature is ignored in boot and can lead to bypass boot image signature verification in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile in MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660...

Design/Logic Flaw

User keystore signature is ignored in boot and can lead to bypass boot image signature verification in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile in MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660...

CVE-2019-2278

CVE-2019-2278 affects Qualcomm components on Snapdragon platforms (Auto, Consumer IoT, Mobile) where the keystore signature is ignored during boot, enabling a bypass of boot image signature verification. Affected devices include SDM660, SD 712/710/670, SD 845/850, SD 625/636/427/425/430/435/450 a...

CVE-2019-2278

User keystore signature is ignored in boot and can lead to bypass boot image signature verification in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Mobile in MDM9607, MDM9640, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 712 / SD 710 / SD 670, SD 845 / SD 850, SDM660...

TronLink Wallet Trust Management Issues Vulnerability

TronLink Wallet is a cryptocurrency wallet application. A trust management issue vulnerability exists in TronLink Wallet version 2.2.0, which can be exploited to read and use a user's keystore to gain unauthorized access with /data/data/com.tronlink.wallet/sharedprefs/.xml...

CVE-2019-13096

TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/sharedprefs/.xml to gain unauthorized access...

Design/Logic Flaw

TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/sharedprefs/.xml to gain unauthorized access...

CVE-2019-13096

TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/sharedprefs/.xml to gain unauthorized access...

CVE-2019-13096

CVE-2019-13096 affects TronLink Wallet 2.2.0. The vulnerability arises from storing the user keystore in plaintext in insecure storage, allowing an attacker to read and reuse a valid user’s keystore via /data/data/com.tronlink.wallet/shared_prefs/.xml and gain unauthorized access. Publicly availa...

CVE-2019-13096

TronLink Wallet 2.2.0 stores user wallet keystore in plaintext and places them in insecure storage. An attacker can read and reuse the user keystore of a valid user via /data/data/com.tronlink.wallet/sharedprefs/.xml to gain unauthorized access...

Unable to secure remote agents via automatic keystore management

h3. Issue Summary It is not possible to secure the remote agents to connect to the Bamboo Server using SSL through the automatic keystore management feature. h3. Steps to Reproduce Configure Bamboo to use SSL in Broker URL and Broker Client URL Securing your remote...

Unable to secure remote agents via automatic keystore management

h3. Issue Summary It is not possible to secure the remote agents to connect to the Bamboo Server using SSL through the automatic keystore management feature. h3. Steps to Reproduce Configure Bamboo to use SSL in Broker URL and Broker Client URL Securing your remote...

CVE-2017-9326

The keystore password for the Spark History Server may be exposed in unsecured files under the /var/run/cloudera-scm-agent directory managed by Cloudera Manager. The keystore file itself is not exposed...