CVE-2025-25202

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

CVE-2025-25202

CVE-2025-25202 affects Ash Authentication (Elixir) in installations bootstrapped with the igniter installer from v4.1.0 up to but not including v4.4.9. The issue is that magic link tokens—as well as tokens revoked manually—could be verified as valid even after revocation, effectively making magic...

CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Impact Applications which have been bootstrapped by the new igniter installer since AshAuthentication v4.1.0 and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not us...

GHSA-QRM9-F75W-HG4C Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Impact Applications which have been bootstrapped by the new igniter installer since AshAuthentication v4.1.0 and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not us...

PT-2025-6376 · Unknown · Ashauthentication

Name of the Vulnerable Software and Affected Versions: AshAuthentication versions 4.1.0 through 4.4.8 Description: The issue affects applications that have been bootstrapped by the new igniter installer since AshAuthentication v4.1.0 and have used the magic link strategy or are manually revoking...

CVE-2025-23208

zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database meta.db is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended...

CVE-2020-15223

In ORY Fosite the security first OAuth2 & OpenID Connect framework for Go before version 0.34.0, the TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can...

CVE-2020-13299

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...

Botan C++ Crypto Algorithms Library 3.7.1

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS 10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to...

SUSE-SU-2025:20057-1 Security update for rust-keylime

This update for rust-keylime fixes the following issues: - Update vendored crates CVE-2024-43806, bsc1229952, bsc1230029 rustix 0.37.25 rustix 0.38.34 shlex 1.3.0 - Update to version 0.2.6+13: Enable test functional/iak-idevid-persisted-and-protected builddeps: bump uuid from 1.7.0 to 1.10.0...

CVE-2025-23215

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered...

CVE-2025-23215

PMD Designer’s release signing keys were found with passphrases exposed in Maven Central jars. The two compromised keys (94A5 2756 9CAF 7A47 AFCA BDE4 86D3 7ECA 8C2E 4C5B and EBB2 41A5 45CB 17C8 7FAC B2EB D0BF 1D73 7C9A 1C22) have been revoked; signatures on past artifacts remain valid, and the g...

CVE-2025-23215 PMD Designer's release key passphrase (GPG) available on Maven Central in cleartext

PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also be considered...

SUSE CVE-2025-23208

zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database meta.db is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended...

GO-2025-3409 Zot IdP group membership revocation ignored in zotregistry.dev/zot

Zot IdP group membership revocation ignored in zotregistry.dev/zot. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest a...

Advisory ROSA-SA-2025-2567

software: curl 8.7.1 OS: ROSA-CHROME packageevrstring: curl-8.7.1-1 CVE-ID: CVE-2024-0853 BDU-ID: 2024-01014 CVE-Crit: MEDIUM CVE-DESC.: A vulnerability in the TLS protocol implementation of the cURL command line utility is related to erroneous storage of the session ID as a result of a lack of...

CVE-2025-22608

Coolify (before 4.0.0-beta.361) suffers from missing authorization that lets any authenticated user revoke arbitrary team invitations by providing a predictable, incrementing ID, enabling Denial of Service. A patch is available in 4.0.0-beta.361. The issue’s description across multiple sources co...