CVE-2022-33926

Dell Wyse Management Suite 3.6.1 and below contains an improper access control vulnerability. A remote malicious user could exploit this vulnerability in order to retain access to a file repository after it has been revoked...

CVE-2022-2447

A flaw was found in Keystone. There is a time lag up to one hour in a default configuration between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected...

Mozilla Thunderbird Security Advisory (MFSA2022-15) - Mac OS X

Mozilla Thunderbird is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mozilla:thunderbird";...

Stripo Inc: Non-revoked API Key Information disclosure via Stripo_report()

Talking about 983331 reports where a security researcher reported secret API key leakage vulnerability in a JavaScript file at Stripo. This report is disclosed on HackerOne, and the team at Stripo have forgotten to blur the API keys from the report before disclosing it to the public. The API keys...

CVE-2022-31050

TYPO3 Admin Tool sessions could remain valid after a user account was degraded or disabled, enabling prolonged access in the admin interface prior to the fixes. The vulnerability affects TYPO3 CMS and was addressed by updates in 9.5.34 ELTS, 10.4.29, and 11.5.11, per CVE-2022-31050 disclosures. T...

GHSA-H564-6GC2-FCC6 Mattermost Server allows users with a session ID to revoke another users' session

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session...

Mattermost Server allows users with a session ID to revoke another users' session

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. Knowledge of a session ID allows revoking another user's session...

GHSA-22Q6-WWQ7-2JJ9 OpenStack Keystone Improper Authentication vulnerability

OpenStack Keystone Folsom 2012.2 does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token...

GHSA-V8FQ-GQ9J-3V7H OpenStack Identity (Keystone) UUID v2 tokens does not expire with revocation events

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...

GHSA-77W8-QV8M-386H OpenStack Keystone Domain-scoped tokens don't get revoked

OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain...

OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events

The MySQL token driver in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token...

GHSA-23X9-8HXR-978C OpenStack Identity (Keystone) Trustee token revocations does not work with memcache backend

The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...

OpenStack Identity Keystone Improper Access Control

The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...

GHSA-HJ89-QMX9-8QMH OpenStack Identity (Keystone) improper revoking of the authentication token when deleting a user

OpenStack Identity Keystone Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token...

GHSA-QC72-GFVW-76H7 Keycloak Oauth Implementation Error

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself...

Keycloak Oauth Implementation Error

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself...

Cloud Foundry UAA Denial of Service through client token revocation endpoint

An issue was discovered in Cloud Foundry Foundation cf-release all versions prior to v279 and UAA 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1. In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other...

GHSA-J4P3-2M2H-CV5F Cloud Foundry UAA Denial of Service through client token revocation endpoint

An issue was discovered in Cloud Foundry Foundation cf-release all versions prior to v279 and UAA 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1. In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other...

cockpit: authenticates with revoked certificates

A flaw was found in Cockpit in the way it handles the certificate verification performed by the System Security Services Daemon SSSD. This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List CRL configuration or the certificate status. The...

CVE-2021-29859

IBM ICP4A - User Management System Component IBM Cloud Pak for Business Automation V21.0.3 through V21.0.3-IF008, V21.0.2 through V21.0.2-IF009, and V21.0.1 through V21.0.1-IF007 could allow a user with physical access to the system to perform unauthorized actions or obtain sensitive information...