Lucene search
+L

114 matches found

vulnersOsv
vulnersOsv
added 2026/03/05 2:7 a.m.9 views

ba.sake:pac4j-testkit (>=0.1.0 <=0.2.0), com.baomidou:shaun-core (=2.0.0) +5 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=6.0.3 <=6.2.2)

org.pac4j:pac4j-jwt MAVEN version =6.0.3, =0.1.0, =7.1.0, =7.1.0, =7.3.4 Source cves: CVE-2026-29000 Source advisory: SNYK:JAVA-ORGPAC4J-15428218...

9.3CVSS7.1AI score0.05856EPSS
Exploits17
vulnersOsv
vulnersOsv
added 2026/03/05 2:7 a.m.10 views

com.efluid.oss:efluid-datagate-app (>=3.1.3 <=6.1.5), com.efluid.oss:efluid-datagate-app-cucumber (>=3.1.3 <=6.1.5) +5 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=5.0.1 <=5.7.8)

org.pac4j:pac4j-jwt MAVEN version =5.0.1, =3.1.3, =3.1.3, =0.8.0, =0.8.0, =2.0.6, =2.2.1, =2.0.6, =2.1.0 Source cves: CVE-2026-29000 Source advisory: SNYK:JAVA-ORGPAC4J-15428218...

9.3CVSS6.7AI score0.05856EPSS
Exploits17
vulnersOsv
vulnersOsv
added 2026/03/05 2:7 a.m.12 views

com.baomidou:shaun-core (>=1.0 <=1.4), com.baomidou:shaun-spring-boot-starter (>=1.0 <=1.4) +37 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=4.0.0-RC1 <=4.5.8)

org.pac4j:pac4j-jwt MAVEN version =4.0.0-RC1, =1.0, =1.0, =1.1, =1.1.0, =1.1.1, =1.1.1, =1.1.1, =1.0.0.RELEASE, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.9.0 and more Source cves: CVE-2026-29000 Source advisory: SNYK:JAVA-ORGPAC4J-15428218...

9.3CVSS6.7AI score0.05856EPSS
Exploits17
vulnersOsv
vulnersOsv
added 2026/03/05 12:31 a.m.13 views

com.efluid.oss:efluid-datagate-app (>=3.1.3 <=6.1.5), com.efluid.oss:efluid-datagate-app-cucumber (>=3.1.3 <=6.1.5) +5 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=5.0.1 <=5.7.8)

org.pac4j:pac4j-jwt MAVEN version =5.0.1, =3.1.3, =3.1.3, =0.8.0, =0.8.0, =2.0.6, =2.2.1, =2.0.6, =2.1.0 Source cves: CVE-2026-29000 Source advisory: OSV:GHSA-PM7G-W2CF-Q238...

9.3CVSS6.7AI score0.05856EPSS
Exploits17
vulnersOsv
vulnersOsv
added 2026/03/05 12:31 a.m.9 views

cc.akkaha:asura-play_2.12 (>=0.5.0 <=0.6.0), cc.akkaha:pea_2.12 (>=0.1.0 <=0.7.0) +305 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=1.8.2 <=4.5.8)

org.pac4j:pac4j-jwt MAVEN version =1.8.2, =0.5.0, =0.1.0, =1.0, =1.0, =1.1, =1.1.0, =1.1.1, =1.1.1, =1.1.1, =1.0.0-beta-21, =1.0.0-beta-21, =1.0.0.RELEASE, =0.2.0, =0.2.0, =0.2.0, =0.9.0 and more Source cves: CVE-2026-29000 Source advisory: OSV:GHSA-PM7G-W2CF-Q238...

9.3CVSS6.7AI score0.05856EPSS
Exploits17
EUVD
EUVD
added 2026/03/05 12:31 a.m.9 views

EUVD-2026-9505

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...

10CVSS6AI score0.05856EPSS
Exploits17References4
OSV
OSV
added 2026/03/05 12:31 a.m.6 views

GHSA-PM7G-W2CF-Q238 pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...

10CVSS6.8AI score0.05856EPSS
Exploits17References5
vulnersOsv
vulnersOsv
added 2026/03/05 12:31 a.m.14 views

ba.sake:pac4j-testkit (>=0.1.0 <=0.2.0), com.github.hiwepy:pac4j-spring-boot-starter (=3.3.x.20241020.RELEASE) +2 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=6.0.5 <=6.2.2)

org.pac4j:pac4j-jwt MAVEN version =6.0.5, =0.1.0, =7.1.0, =7.1.0, =7.3.4 Source cves: CVE-2026-29000 Source advisory: OSV:GHSA-PM7G-W2CF-Q238...

9.3CVSS7.1AI score0.05856EPSS
Exploits17
NVD
NVD
added 2026/03/04 10:16 p.m.19 views

CVE-2026-29000

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...

9.3CVSS0.05856EPSS
Exploits17References3
Vulnrichment
Vulnrichment
added 2026/03/04 9:49 p.m.4 views

CVE-2026-29000 pac4j-jwt JwtAuthenticator Authentication Bypass

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...

9.3CVSS6AI score0.05856EPSS
Exploits17References3
Cvelist
Cvelist
added 2026/03/04 9:49 p.m.48 views

CVE-2026-29000 pac4j-jwt JwtAuthenticator Authentication Bypass

pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...

9.3CVSS0.05856EPSS
Exploits17References3
CVE
CVE
added 2026/03/04 9:49 p.m.329 views

CVE-2026-29000

CVE-2026-29000 affects pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3. The issue is an authentication bypass in JwtAuthenticator when handling encrypted JWTs, enabling an attacker who has the server’s RSA public key to forge a JWE-wrapped PlainJWT with arbitrary subject and role claims. This...

9.3CVSS6AI score0.05856EPSS
Exploits17References3
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.12 views

pac4j-jwt 数据伪造问题漏洞

pac4j-jwt is an JWT authentication module developed by pac4j as open source. Versions of pac4j-jwt prior to 4.5.9, 5.7.9, and 6.3.3 contained a data manipulation vulnerability. This vulnerability stems from the JwtAuthenticator’s inability to properly handle encrypted JWTs, leading to an...

9.3CVSS6.7AI score0.05856EPSS
Exploits17References3
RedhatCVE
RedhatCVE
added 2026/01/09 9:1 a.m.5 views

CVE-2023-25581

pac4j is a security framework for Java. pac4j-core prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the UserProfile class from pac4j-core. It can be exploited by providing an...

9.2CVSS7.2AI score0.01936EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.8 views

EUVD-2019-0762

Malware in sbrugna...

4.9CVSS5AI score0.0113EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/05/23 8:6 a.m.10 views

CVE-2024-45384

Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not usin...

5.3CVSS5AI score0.00821EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/23 3:25 a.m.7 views

CVE-2023-25558

DataHub is an open-source metadata platform. When the DataHub frontend is configured to authenticate via SSO, it will leverage the pac4j library. The processing of the idtoken is done in an unsafe manner which is not properly accounted for by the DataHub frontend. Specifically, if any of the...

8.8CVSS7.5AI score0.01034EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 10:25 a.m.9 views

CVE-2019-10755

The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml...

4.9CVSS6.8AI score0.0113EPSS
Exploits0References1
Snyk
Snyk
added 2025/03/31 7:42 p.m.3 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the session handling logic in SessionStoreImplget. An attacker can execute code by sending a malicious payload beginning with "b64", which is deserialized unsafely. Details Serialization is a process...

8.8CVSS7.3AI score0.00612EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/03/31 7:10 p.m.22 views

CVE-2025-31129 jooby-pac4j: deserialization of untrusted data

Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImplget module deserializes untrusted data. This vulnerability is fixed in 2.17.0 2.x and 3.7.0 3.x...

8.8CVSS0.00612EPSS
Exploits0References4
Rows per page
Query Builder