Lucene search
+L

153 matches found

OSV
OSV
added 2026/04/02 3:31 p.m.10 views

GHSA-F2HX-5FX3-HMCV Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants

A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...

8.1CVSS5.9AI score0.00346EPSS
Exploits1References10
NVD
NVD
added 2026/04/02 1:16 p.m.5 views

CVE-2026-4636

A flaw was found in Keycloak. An authenticated user with the umaprotection role can bypass User-Managed Access UMA policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an attacker-owned...

8.1CVSS0.00346EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.4 views

PT-2026-29732

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak where an authenticated user possessing the uma protection role can circumvent User-Managed Access UMA policy validation. This allows an attacker to include resource...

8.1CVSS5.9AI score0.00346EPSS
Exploits1References13
Packet Storm News
Packet Storm News
added 2026/03/12 12:0 a.m.4 views

AEGIS: No Tool Call Left Unchecked -- a Pre-Execution Firewall and Audit Layer for AI Agents

AI agents increasingly act through external tools: they query databases, execute shell commands, read and write files, and send network requests. Yet in most current agent stacks, model-generated tool calls are handed to the execution layer with no framework-agnostic control point in between...

6AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/02/25 10:38 p.m.11 views

RustFS: Missing Post Policy Validation leads to Arbitrary Object Write

Summary RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type...

9.1CVSS5.8AI score0.00265EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/02/25 10:38 p.m.4 views

GHSA-W5FH-F8XH-5X3P RustFS: Missing Post Policy Validation leads to Arbitrary Object Write

Summary RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type...

8.1CVSS5.9AI score0.00265EPSS
Exploits0References4
CVE
CVE
added 2026/02/25 2:10 a.m.17 views

CVE-2026-27607

RustFS is affected by a vulnerability in versions 1.0.0-alpha.56 through 1.0.0-alpha.82 where presigned POST uploads (PostObject) do not validate policy conditions. The server bypasses content-length-range, starts-with, and Content-Type constraints, allowing unauthorized file uploads that can exc...

9.1CVSS5.6AI score0.00265EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/02/25 2:10 a.m.7 views

CVE-2026-27607

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...

9.1CVSS5.6AI score0.00265EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/02/25 2:10 a.m.24 views

CVE-2026-27607 RustFS's Missing Post Policy Validation leads to Arbitrary Object Write

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...

8.1CVSS0.00265EPSS
Exploits0References1
OSV
OSV
added 2026/02/25 2:10 a.m.6 views

CVE-2026-27607 RustFS's Missing Post Policy Validation leads to Arbitrary Object Write

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...

8.1CVSS5.7AI score0.00265EPSS
Exploits0References3
OSV
OSV
added 2026/01/13 6:47 p.m.4 views

GHSA-XRWG-MQJ6-6M22 Envoy Extension Policy lua scripts injection causes arbitrary command execution

Impact Envoy Gateway allows users to create Lua scripts that are executed by Envoy proxy using the EnvoyExtensionPolicy resource. Administrators can use Kubernetes RBAC to grant users the ability to create EnvoyExtensionPolicy resources. Lua scripts in policies are executed in two contexts: An...

8.8CVSS7.9AI score0.00567EPSS
Exploits1References3
Amazon
Amazon
added 2026/01/07 12:0 a.m.22 views

Important: amazon-ssm-agent

Issue Overview: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. CVE-2025-22874 Proxy-Authorization and Proxy-Authenticate headers...

7.5CVSS6.8AI score0.00626EPSS
Exploits2
Amazon
Amazon
added 2026/01/05 12:0 a.m.9 views

Important: amazon-ssm-agent

Issue Overview: Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon. CVE-2025-22874 Proxy-Authorization and Proxy-Authenticate headers...

7.5CVSS6.8AI score0.00626EPSS
Exploits0
SUSE CVE
SUSE CVE
added 2025/11/09 12:23 a.m.3 views

SUSE CVE-2025-62506

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS7.3AI score0.00515EPSS
Exploits1References2
IBM Security Bulletins
IBM Security Bulletins
added 2025/10/28 5:59 a.m.8 views

Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.

Summary Multiple vulnerabilities were addressed in IBM Concert Software version 2.1.0 Vulnerability Details CVEID:CVE-2024-23337 DESCRIPTION: jq is a command-line JSON processor. In versions up to and including 1.7.1, an integer overflow arises when assigning value using an index of 2147483647, t...

9.4CVSS7.8AI score0.01735EPSS
Exploits6Affected Software1
OSV
OSV
added 2025/10/21 9:34 a.m.4 views

BIT-MINIO-2025-62506 MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS7.3AI score0.00515EPSS
Exploits1References7
OSV
OSV
added 2025/10/16 9:36 p.m.2 views

GHSA-JJJJ-JWHF-8RGR MinIO is Vulnerable to Privilege Escalation via Session Policy Bypass in Service Accounts and STS

Summary A privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performing "own" account operations, specifically when creating new service accounts for the same user...

8.1CVSS7.4AI score0.00515EPSS
Exploits1References8
Cvelist
Cvelist
added 2025/10/16 9:17 p.m.12 views

CVE-2025-62506 MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS0.00515EPSS
Exploits1References3
CVE
CVE
added 2025/10/16 9:17 p.m.117 views

CVE-2025-62506

MinIO CVE-2025-62506 is a privilege-escalation issue in which a restricted service/STS account can create a new service account for itself due to a DenyOnly short-circuit in session-policy validation. Affected versions are prior to RELEASE.2025-10-15T17-29-55Z; the attacker may gain parent-level ...

8.1CVSS6.8AI score0.00515EPSS
Exploits1References6
OSV
OSV
added 2025/10/16 9:17 p.m.4 views

CVE-2025-62506 MinIO vulnerable to privilege escalation via session policy bypass in service accounts and STS

MinIO is a high-performance object storage system. In all versions prior to RELEASE.2025-10-15T17-29-55Z, a privilege escalation vulnerability allows service accounts and STS Security Token Service accounts with restricted session policies to bypass their inline policy restrictions when performin...

8.1CVSS7.3AI score0.00515EPSS
Exploits1References8
Rows per page
Query Builder