Lucene search
+L

130 matches found

Vulnrichment
Vulnrichment
added 2025/03/20 10:9 a.m.8 views

CVE-2024-6839 Improper Regex Path Matching in corydolphin/flask-cors

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex...

4.3CVSS4.6AI score0.00652EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/03/20 10:9 a.m.36 views

CVE-2024-6839 Improper Regex Path Matching in corydolphin/flask-cors

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex...

4.3CVSS0.00652EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/03/20 12:0 a.m.9 views

Flask-CORS 安全漏洞

Flask-CORS is a cross-origin resource sharing component for Flask by the individual developer Cory Dolphin. A security vulnerability exists in Flask-CORS version 4.0.1, which stems from improperly matched regular expression paths and could lead to improperly applied cross-domain resource sharing...

5.3CVSS5.2AI score0.00652EPSS
Exploits1References2
OSV
OSV
added 2024/08/21 4:3 p.m.10 views

GO-2022-0936 Improperly Implemented path matching for in-toto-golang in github.com/in-toto/in-toto-golang

Improperly Implemented path matching for in-toto-golang in github.com/in-toto/in-toto-golang...

6.5CVSS6.4AI score0.0043EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2024/05/12 12:0 a.m.7 views

PT-2024-6445

Name of the Vulnerable Software and Affected Versions corydolphin/flask-cors versions 4.0.1 corydolphin/flask-cors version 5.0.1 Description The software contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching path...

5.3CVSS6.4AI score0.00652EPSS
Exploits1References45
OSV
OSV
added 2023/07/25 6:24 p.m.59 views

GHSA-WVP2-9PPW-337J Paths contain matrix variables bypass decorators

Impact Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. In this situation, the Armeria decorators might not invoked because of the matrix variables. Let's see the...

7.5CVSS7AI score0.00588EPSS
Exploits0References6
SUSE CVE
SUSE CVE
added 2023/02/15 3:54 a.m.4 views

SUSE CVE-2020-25032

An issue was discovered in Flask-CORS aka CORS Middleware for Flask before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format...

6.8CVSS9.4AI score0.04017EPSS
Exploits0References9
OSV
OSV
added 2021/09/22 8:37 p.m.19 views

GHSA-VRXP-MG9F-HWF3 Improperly Implemented path matching for in-toto-golang

Impact Authenticated attackers posing as functionaries i.e., within a trusted set of users for a layout are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact ...

5.6CVSS6.4AI score0.0043EPSS
Exploits0References4
Gitee
Gitee
added 2021/06/30 10:9 a.m.5 views

Exploit for Improper Authentication in Apache Shiro

Apache Shiro 两种姿势绕过认证分析(CVE-2020-17523) 0x01 漏洞描述 Apache Shiro是一个强大且易用的Java安全框架,执行身份验证、授权、密码和会话管理。使用Shiro的易于理解的API,您可以快速、轻松地获得任何应用程序,从最小的移动应用程序到最大的网络和企业应用程序。 当它和 Spring 结合使用时,在一定权限匹配规则下,攻击者可通过构造特殊的 HTTP 请求包完成身份认证绕过。 影响范围:Apache Shiro / | | 双反斜杠处理成反斜杠 | // - / | | 以/.或者/..结尾,则在结尾添加/ | /. - /./ /.....

9.8CVSS7.1AI score0.85911EPSS
Exploits2
Cvelist
Cvelist
added 2021/05/28 9:0 p.m.136 views

CVE-2021-29492 Bypass of path matching rules using escaped slash characters

Envoy is a cloud-native edge/middle/service proxy. Envoy does not decode escaped slash sequences %2F and %5C in HTTP URL paths in versions 1.18.2 and before. A remote attacker may craft a path with escaped slashes, e.g. /something%2F..%2Fadmin, to bypass access control, e.g. a block on /admin. A...

8.1CVSS8.5AI score0.68383EPSS
Exploits0References1
Veracode
Veracode
added 2021/02/04 7:23 a.m.20 views

Authentication Bypass

shiro-core is vulnerable to authentication bypass. The vulnerability exists through a HTTP request that could bypass the path matching checks...

9.8CVSS1AI score0.85911EPSS
Exploits2References17Affected Software2
CNVD
CNVD
added 2021/01/18 12:0 a.m.2 views

Cloudbees Jenkins and LTS Authorization Issues Vulnerability (CNVD-2021-04647)

Cloudbees Jenkins Hudson Labs is the United States CloudBees Cloudbees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed tasks . An authorization issue vulnerabilit...

6.5CVSS7AI score0.01444EPSS
Exploits0References1
CNVD
CNVD
added 2021/01/14 12:0 a.m.6 views

Cloudbees Jenkins and LTS Authorization Issues Vulnerability (CNVD-2021-04651)

Cloudbees Jenkins Hudson Labs is the United States CloudBees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed execution of the task . An authorization issue...

5.3CVSS7.1AI score0.01307EPSS
Exploits0References1
CNNVD
CNNVD
added 2021/01/13 12:0 a.m.8 views

Cloudbees Jenkins 授权问题漏洞

Cloudbees Jenkins Hudson Labs is the United States CloudBees Cloudbees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed tasks . An authorization issue vulnerabilit...

6.5CVSS6.6AI score0.01444EPSS
Exploits0References8
CNNVD
CNNVD
added 2021/01/13 12:0 a.m.7 views

Cloudbees Jenkins 授权问题漏洞

Cloudbees Jenkins Hudson Labs is the United States CloudBees company a set of Java-based development of continuous integration tools . The product is mainly used to monitor the continuous software version release/testing project and some timed execution of the task . An authorization issue...

5.3CVSS6.2AI score0.01307EPSS
Exploits0References8
OSV
OSV
added 2020/12/10 11:15 p.m.29 views

CVE-2020-26269

In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...

7.5CVSS7.5AI score
Exploits0References2
PyPA
PyPA
added 2020/12/10 11:15 p.m.8 views

PYSEC-2020-141

In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...

7.5CVSS6.9AI score0.00663EPSS
Exploits1References2Affected Software1
Debian CVE
Debian CVE
added 2020/12/10 10:10 p.m.7 views

CVE-2020-26269

In TensorFlow release candidate versions 2.4.0rc, the general implementation for matching filesystem paths to globbing pattern is vulnerable to an access out of bounds of the array holding the directories. There are multiple invariants and preconditions that are assumed by the parallel...

7.5CVSS6.9AI score0.00663EPSS
Exploits1
CVE
CVE
added 2020/12/10 10:10 p.m.68 views

CVE-2020-26269

CVE-2020-26269 affects TensorFlow (release candidate 2.4.0rc* and related master branch changes) and describes an access out-of-bounds read in the general filesystem-globbing path matching implementation. The root cause is that invariants and preconditions assumed by the parallel GetMatchingPaths...

7.5CVSS7.4AI score0.00663EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2020/02/12 3:15 p.m.35 views

CVE-2020-8595

Istio versions 1.2.10 End of Life and prior, 1.3 through 1.3.7, and 1.4 through 1.4.3 allows authentication bypass. The Authentication Policy exact-path matching logic can allow unauthorized access to HTTP paths even if they are configured to be only accessed after presenting a valid JWT token. F...

7.5CVSS7.3AI score0.02606EPSS
Exploits1References6
Rows per page
Query Builder