131 matches found
passport-wsfed-saml2 Signature Bypass vulnerability
Information Please note that this is not a new disclosure, and is previously reported in our SECURITY-NOTICE.md which we removed in favor of github advisory. Overview A vulnerability was found in the validation of a SAML signature. The validation doesn't ensure that the "Signature" tag is at the...
passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token
Information Please note that this is not a new disclosure, and is previously reported in our SECURITY-NOTICE.md which we removed in favor of github advisory. Overview This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity...
notation-go's verification bypass can cause users to verify the wrong artifact
Impact An attacker who controls or compromises a registry can lead a user to verify the wrong artifact. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Workarounds User should use secure and trusted container...
Upgrade moment library to 2.29.2+ for LTS version as required for CVE-2022-24785 and CVE-2022-31129
Hi, Is it possible to upgrade the moment.js library to 2.29.2 on all LTS version ? It seems fixed in the 9.7.0 as this ticket seems to point https://jira.atlassian.com/browse/JRASERVER-74647 In our 9.4.2 LTS version it is still discovered as a vulnerability. Regards CWATCH team...
GHSA-PPJQ-QXHX-M25F Authentication Bypass for passport-wsfed-saml2
Overview A remote attacker can bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed WSFed assertion. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid us...
Authentication Bypass for passport-wsfed-saml2
Overview A remote attacker can bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed WSFed assertion. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid us...
SUSE-SU-2022:3249-1 Security update for clamav
This update for clamav fixes the following issues: clamav was updated to 0.103.7 bsc1202986 Upgrade the vendored UnRAR library to version 6.1.7. Fix logical signature 'Intermediates' feature. Relax constraints on slightly malformed zip archives that contain overlapping file entries...
MGASA-2022-0312 Updated clamav packages fix security vulnerability
ClamAV 0.103.7 is a critical patch release with the following fixes: Upgrade the vendored UnRAR library to version 6.1.7. Fix logical signature "Intermediates" feature. Relax constraints on slightly malformed zip archives that contain overlapping file entries...
CVE-2022-35923 Inefficient Regular Expression Complexity in v8n
v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the lowercase and uppercase regex which could lead to a denial of service attack. In testing of the lowercase function a payload of 'a' + 'a'.repeati + 'A' wit...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS when creating HTTPS web requests while building X509 certificate chains. Details Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users...
CVE-2021-22569
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated...
CVE-2021-22569 Denial of Service of protobuf-java parsing procedure
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated...
CVE-2021-22569
CVE-2021-22569 concerns protobuf-java: an issue allowing interleaving of UnknownFieldSet fields that can cause the parser to linger due to many short-lived objects, potentially enabling DoS-like pauses. Connected sources show this vulnerability in multiple ecosystems (e.g., Debian protobuf packag...
CVE-2021-36737
The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting XSS attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact...
PT-2021-12657 · Goxmldsig +1 · Goxmldsig +1
Name of the Vulnerable Software and Affected Versions: gosaml2 versions prior to 0.7.0 goxmldsig versions prior to 1.1.1 Description: The issue is caused by a nil-pointer dereference when validating malformed XML Digital Signatures, leading to a crash or panic. This can be used as a denial of...
pki-core security and bug fix update
10.5.18-12 - Change variable 'TPS' to 'tps' - - RHEL 7.9: - - Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA edewata - - Backported CVEs ascheel: - - Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored...
Moodle < 3.5.7, 3.6.x < 3.6.5, 3.7.x < 3.7.1 Multiple Vulnerabilities
Moodle is prone to multiple vulnerabilities. Copyright C 2019 Greenbone Networks GmbH SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation;...
[SECURITY] Fedora 29 Update: opencc-1.0.5-3.fc29
OpenCC is a library for converting characters and phrases between Traditional Chinese and Simplified Chinese...
PT-2017-14626 · Auth0 · Passport-Wsfed-Saml2
Name of the Vulnerable Software and Affected Versions: Auth0 passport-wsfed-saml2 versions prior to 3.0.5 Description: A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library, allowing an attacker to impersonate another user and potentially elevate their privileges if the SA...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS due to improperly handling parsing certificate data. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. Details Denial of Service DoS...