114 matches found
ba.sake:pac4j-testkit (>=0.1.0 <=0.2.0), com.baomidou:shaun-core (=2.0.0) +5 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=6.0.3 <=6.2.2)
org.pac4j:pac4j-jwt MAVEN version =6.0.3, =0.1.0, =7.1.0, =7.1.0, =7.3.4 Source cves: CVE-2026-29000 Source advisory: SNYK:JAVA-ORGPAC4J-15428218...
com.efluid.oss:efluid-datagate-app (>=3.1.3 <=6.1.5), com.efluid.oss:efluid-datagate-app-cucumber (>=3.1.3 <=6.1.5) +5 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=5.0.1 <=5.7.8)
org.pac4j:pac4j-jwt MAVEN version =5.0.1, =3.1.3, =3.1.3, =0.8.0, =0.8.0, =2.0.6, =2.2.1, =2.0.6, =2.1.0 Source cves: CVE-2026-29000 Source advisory: SNYK:JAVA-ORGPAC4J-15428218...
com.baomidou:shaun-core (>=1.0 <=1.4), com.baomidou:shaun-spring-boot-starter (>=1.0 <=1.4) +37 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=4.0.0-RC1 <=4.5.8)
org.pac4j:pac4j-jwt MAVEN version =4.0.0-RC1, =1.0, =1.0, =1.1, =1.1.0, =1.1.1, =1.1.1, =1.1.1, =1.0.0.RELEASE, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.9.0 and more Source cves: CVE-2026-29000 Source advisory: SNYK:JAVA-ORGPAC4J-15428218...
com.efluid.oss:efluid-datagate-app (>=3.1.3 <=6.1.5), com.efluid.oss:efluid-datagate-app-cucumber (>=3.1.3 <=6.1.5) +5 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=5.0.1 <=5.7.8)
org.pac4j:pac4j-jwt MAVEN version =5.0.1, =3.1.3, =3.1.3, =0.8.0, =0.8.0, =2.0.6, =2.2.1, =2.0.6, =2.1.0 Source cves: CVE-2026-29000 Source advisory: OSV:GHSA-PM7G-W2CF-Q238...
cc.akkaha:asura-play_2.12 (>=0.5.0 <=0.6.0), cc.akkaha:pea_2.12 (>=0.1.0 <=0.7.0) +305 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=1.8.2 <=4.5.8)
org.pac4j:pac4j-jwt MAVEN version =1.8.2, =0.5.0, =0.1.0, =1.0, =1.0, =1.1, =1.1.0, =1.1.1, =1.1.1, =1.1.1, =1.0.0-beta-21, =1.0.0-beta-21, =1.0.0.RELEASE, =0.2.0, =0.2.0, =0.2.0, =0.9.0 and more Source cves: CVE-2026-29000 Source advisory: OSV:GHSA-PM7G-W2CF-Q238...
EUVD-2026-9505
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...
GHSA-PM7G-W2CF-Q238 pac4j-jwt: JwtAuthenticator Authentication Bypass via JWE-Wrapped PlainJWT
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...
ba.sake:pac4j-testkit (>=0.1.0 <=0.2.0), com.github.hiwepy:pac4j-spring-boot-starter (=3.3.x.20241020.RELEASE) +2 more potentially affected by CVE-2026-29000 via org.pac4j:pac4j-jwt (>=6.0.5 <=6.2.2)
org.pac4j:pac4j-jwt MAVEN version =6.0.5, =0.1.0, =7.1.0, =7.1.0, =7.3.4 Source cves: CVE-2026-29000 Source advisory: OSV:GHSA-PM7G-W2CF-Q238...
CVE-2026-29000
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...
CVE-2026-29000 pac4j-jwt JwtAuthenticator Authentication Bypass
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...
CVE-2026-29000 pac4j-jwt JwtAuthenticator Authentication Bypass
pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT wi...
CVE-2026-29000
CVE-2026-29000 affects pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3. The issue is an authentication bypass in JwtAuthenticator when handling encrypted JWTs, enabling an attacker who has the server’s RSA public key to forge a JWE-wrapped PlainJWT with arbitrary subject and role claims. This...
pac4j-jwt 数据伪造问题漏洞
pac4j-jwt is an JWT authentication module developed by pac4j as open source. Versions of pac4j-jwt prior to 4.5.9, 5.7.9, and 6.3.3 contained a data manipulation vulnerability. This vulnerability stems from the JwtAuthenticator’s inability to properly handle encrypted JWTs, leading to an...
CVE-2023-25581
pac4j is a security framework for Java. pac4j-core prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the UserProfile class from pac4j-core. It can be exploited by providing an...
EUVD-2019-0762
Malware in sbrugna...
CVE-2024-45384
Padding Oracle vulnerability in Apache Druid extension, druid-pac4j. This could allow an attacker to manipulate a pac4j session cookie. This issue affects Apache Druid versions 0.18.0 through 30.0.0. Since the druid-pac4j extension is optional and disabled by default, Druid installations not usin...
CVE-2023-25558
DataHub is an open-source metadata platform. When the DataHub frontend is configured to authenticate via SSO, it will leverage the pac4j library. The processing of the idtoken is done in an unsafe manner which is not properly accounted for by the DataHub frontend. Specifically, if any of the...
CVE-2019-10755
The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the session handling logic in SessionStoreImplget. An attacker can execute code by sending a malicious payload beginning with "b64", which is deserialized unsafely. Details Serialization is a process...
CVE-2025-31129 jooby-pac4j: deserialization of untrusted data
Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImplget module deserializes untrusted data. This vulnerability is fixed in 2.17.0 2.x and 3.7.0 3.x...