Lucene search
K

131 matches found

Github Security Blog
Github Security Blog
added 2023/06/21 10:6 p.m.12 views

passport-wsfed-saml2 Signature Bypass vulnerability

Information Please note that this is not a new disclosure, and is previously reported in our SECURITY-NOTICE.md which we removed in favor of github advisory. Overview A vulnerability was found in the validation of a SAML signature. The validation doesn't ensure that the "Signature" tag is at the...

6.5AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2023/06/21 10:0 p.m.19 views

passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token

Information Please note that this is not a new disclosure, and is previously reported in our SECURITY-NOTICE.md which we removed in favor of github advisory. Overview This vulnerability allows an attacker to impersonate another user and potentially elevate their privileges if the SAML identity...

9.3CVSS6.7AI score0.01378EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2023/06/06 4:45 p.m.26 views

notation-go's verification bypass can cause users to verify the wrong artifact

Impact An attacker who controls or compromises a registry can lead a user to verify the wrong artifact. Patches The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Workarounds User should use secure and trusted container...

8.8CVSS6.7AI score0.00354EPSS
Exploits0References6Affected Software1
Atlassian
Atlassian
added 2023/03/27 7:30 a.m.276 views

Upgrade moment library to 2.29.2+ for LTS version as required for CVE-2022-24785 and CVE-2022-31129

Hi, Is it possible to upgrade the moment.js library to 2.29.2 on all LTS version ? It seems fixed in the 9.7.0 as this ticket seems to point https://jira.atlassian.com/browse/JRASERVER-74647 In our 9.4.2 LTS version it is still discovered as a vulnerability. Regards CWATCH team...

7.5CVSS7.6AI score0.05664EPSS
Exploits1
OSV
OSV
added 2022/12/13 5:16 p.m.26 views

GHSA-PPJQ-QXHX-M25F Authentication Bypass for passport-wsfed-saml2

Overview A remote attacker can bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed WSFed assertion. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid us...

5.3CVSS6.5AI score0.00751EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2022/12/13 5:16 p.m.36 views

Authentication Bypass for passport-wsfed-saml2

Overview A remote attacker can bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed WSFed assertion. Depending on the IDP used, fully unauthenticated attacks e.g without access to a valid us...

7.5CVSS3.6AI score0.00751EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2022/09/12 7:5 a.m.1 views

SUSE-SU-2022:3249-1 Security update for clamav

This update for clamav fixes the following issues: clamav was updated to 0.103.7 bsc1202986 Upgrade the vendored UnRAR library to version 6.1.7. Fix logical signature 'Intermediates' feature. Relax constraints on slightly malformed zip archives that contain overlapping file entries...

7.2AI score
Exploits0References2
OSV
OSV
added 2022/08/29 5:7 a.m.3 views

MGASA-2022-0312 Updated clamav packages fix security vulnerability

ClamAV 0.103.7 is a critical patch release with the following fixes: Upgrade the vendored UnRAR library to version 6.1.7. Fix logical signature "Intermediates" feature. Relax constraints on slightly malformed zip archives that contain overlapping file entries...

7.1AI score
Exploits0References3
Vulnrichment
Vulnrichment
added 2022/08/02 8:10 p.m.4 views

CVE-2022-35923 Inefficient Regular Expression Complexity in v8n

v8n is a javascript validation library. Versions of v8n prior to 1.5.1 were found to have an inefficient regular expression complexity in the lowercase and uppercase regex which could lead to a denial of service attack. In testing of the lowercase function a payload of 'a' + 'a'.repeati + 'A' wit...

7.5CVSS7.7AI score0.01358EPSS
Exploits1References3
Snyk
Snyk
added 2022/05/24 5:43 p.m.4 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS when creating HTTPS web requests while building X509 certificate chains. Details Denial of Service DoS describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users...

6.5CVSS7AI score0.0334EPSS
Exploits0References2
UbuntuCve
UbuntuCve
added 2022/01/10 2:10 p.m.50 views

CVE-2021-22569

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated...

7.5CVSS6.8AI score0.01655EPSS
Exploits1References6
Cvelist
Cvelist
added 2022/01/07 12:0 a.m.36 views

CVE-2021-22569 Denial of Service of protobuf-java parsing procedure

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated...

7.5CVSS7.7AI score0.01655EPSS
Exploits1References6
CVE
CVE
added 2022/01/07 12:0 a.m.611 views

CVE-2021-22569

CVE-2021-22569 concerns protobuf-java: an issue allowing interleaving of UnknownFieldSet fields that can cause the parser to linger due to many short-lived objects, potentially enabling DoS-like pauses. Connected sources show this vulnerability in multiple ecosystems (e.g., Debian protobuf packag...

7.5CVSS6.3AI score0.01655EPSS
Exploits1References6Affected Software3
OSV
OSV
added 2022/01/06 9:15 a.m.7 views

CVE-2021-36737

The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting XSS attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifact...

6.1CVSS6.4AI score0.02327EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2021/04/14 12:0 a.m.2 views

PT-2021-12657 · Goxmldsig +1 · Goxmldsig +1

Name of the Vulnerable Software and Affected Versions: gosaml2 versions prior to 0.7.0 goxmldsig versions prior to 1.1.1 Description: The issue is caused by a nil-pointer dereference when validating malformed XML Digital Signatures, leading to a crash or panic. This can be used as a denial of...

7.5CVSS7.2AI score0.01755EPSS
Exploits1References18
Oracle linux
Oracle linux
added 2021/03/17 12:0 a.m.61 views

pki-core security and bug fix update

10.5.18-12 - Change variable 'TPS' to 'tps' - - RHEL 7.9: - - Bugzilla Bug 1883639 - Add KRA Transport and Storage Certificates profiles, audit for IPA edewata - - Backported CVEs ascheel: - - Bugzilla Bug 1724697 - CVE-2019-10180 pki-core: unsanitized token parameters in TPS resulting in stored...

8.1CVSS0.7AI score0.01289EPSS
Exploits1
OpenVAS
OpenVAS
added 2019/08/06 12:0 a.m.119 views

Moodle < 3.5.7, 3.6.x < 3.6.5, 3.7.x < 3.7.1 Multiple Vulnerabilities

Moodle is prone to multiple vulnerabilities. Copyright C 2019 Greenbone Networks GmbH SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation;...

9.8CVSS6.6AI score0.26172EPSS
Exploits7References5
Fedora
Fedora
added 2018/10/30 5:48 p.m.22 views

[SECURITY] Fedora 29 Update: opencc-1.0.5-3.fc29

OpenCC is a library for converting characters and phrases between Traditional Chinese and Simplified Chinese...

5.5CVSS3.3AI score0.01046EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2017/12/23 12:0 a.m.5 views

PT-2017-14626 · Auth0 · Passport-Wsfed-Saml2

Name of the Vulnerable Software and Affected Versions: Auth0 passport-wsfed-saml2 versions prior to 3.0.5 Description: A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library, allowing an attacker to impersonate another user and potentially elevate their privileges if the SA...

9.3CVSS7.9AI score0.01378EPSS
Exploits0References9
Snyk
Snyk
added 2017/11/14 8:0 a.m.3 views

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS due to improperly handling parsing certificate data. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. Details Denial of Service DoS...

7.5CVSS6.9AI score0.05423EPSS
Exploits0References2
Rows per page
Query Builder