130 matches found
CVE-2024-6839 Improper Regex Path Matching in corydolphin/flask-cors
corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex...
CVE-2024-6839 Improper Regex Path Matching in corydolphin/flask-cors
corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex...
Flask-CORS 安全漏洞
Flask-CORS is a cross-origin resource sharing component for Flask by the individual developer Cory Dolphin. A security vulnerability exists in Flask-CORS version 4.0.1, which stems from improperly matched regular expression paths and could lead to improperly applied cross-domain resource sharing...
GO-2022-0936 Improperly Implemented path matching for in-toto-golang in github.com/in-toto/in-toto-golang
Improperly Implemented path matching for in-toto-golang in github.com/in-toto/in-toto-golang...
PT-2024-6445
Name of the Vulnerable Software and Affected Versions corydolphin/flask-cors versions 4.0.1 corydolphin/flask-cors version 5.0.1 Description The software contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching path...
GHSA-WVP2-9PPW-337J Paths contain matrix variables bypass decorators
Impact Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. In this situation, the Armeria decorators might not invoked because of the matrix variables. Let's see the...
SUSE CVE-2020-25032
An issue was discovered in Flask-CORS aka CORS Middleware for Flask before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format...
GHSA-VRXP-MG9F-HWF3 Improperly Implemented path matching for in-toto-golang
Impact Authenticated attackers posing as functionaries i.e., within a trusted set of users for a layout are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact ...
Exploit for Improper Authentication in Apache Shiro
Apache Shiro 两种姿势绕过认证分析(CVE-2020-17523) 0x01 漏洞描述 Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码和会话管理。使用Shiro的易于理解的API,您可以快速、轻松地获得任何应用程序,从最小的移动应用程序到最大的网络和企业应用程序。 当它和 Spring 结合使用时,在一定权限匹配规则下,攻击者可通过构造特殊的 HTTP 请求包完成身份认证绕过。 影响范围:Apache Shiro / | | 双反斜杠处理成反斜杠 | // - / | | 以/.或者/..结尾,则在结尾添加/ | /. - /./ /.....
CVE-2021-29492 Bypass of path matching rules using escaped slash characters
Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A...
Authentication Bypass
shiro-core is vulnerable to authentication bypass. The vulnerability exists through a HTTP request that could bypass the path matching checks...
Cloudbees Jenkins and LTS Authorization Issues Vulnerability (CNVD-2021-04647)
Cloudbees Jenkins Hudson Labs is the United States CloudBees Cloudbees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed tasks . An authorization issue vulnerabilit...
Cloudbees Jenkins and LTS Authorization Issues Vulnerability (CNVD-2021-04651)
Cloudbees Jenkins Hudson Labs is the United States CloudBees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed execution of the task . An authorization issue...
Cloudbees Jenkins 授权问题漏洞
Cloudbees Jenkins Hudson Labs is the United States CloudBees Cloudbees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed tasks . An authorization issue vulnerabilit...
Cloudbees Jenkins 授权问题漏洞
Cloudbees Jenkins Hudson Labs is the United States CloudBees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed execution of the task . An authorization issue...
CVE-2020-26269
In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...
PYSEC-2020-141
In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...
CVE-2020-26269
In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...
CVE-2020-26269
CVE-2020-26269 affects TensorFlow (release candidate 2.4.0rc* and related master branch changes) and describes an access out-of-bounds read in the general filesystem-globbing path matching implementation. The root cause is that invariants and preconditions assumed by the parallel GetMatchingPaths...
CVE-2020-8595
Istio versions 1.2.10 End of Life and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. F...