HashiCorp Vault Security Breach

HashiCorp Vault is a private key access management tool from HashiCorp USA. A security vulnerability exists in HashiCorp Vault versions prior to 1.13.0 and Vault Enterprise versions prior to 1.13.0 that stems from an existing IAM condition that is not preserved when creating or updating a role se...

postgresql: row security policies disregard user ID changes after inlining.

A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is planned under one role and executed under other roles. This scenario can happen under security definer functions, or when a common user a...

postgresql: row security policies disregard user ID changes after inlining.

A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is planned under one role and executed under other roles. This scenario can happen under security definer functions, or when a common user a...

postgresql: row security policies disregard user ID changes after inlining.

A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is planned under one role and executed under other roles. This scenario can happen under security definer functions, or when a common user a...

CVE-2021-4345

The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::saveroleapi method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to remove or add roles, and add capabilities...

PT-2023-12454 · WordPress · Ulisting

Name of the Vulnerable Software and Affected Versions: uListing plugin for WordPress versions up to, and including, 1.6.6 Description: The issue is related to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::save role api method. This allows unauthenticated...

PT-2022-21177 · Siemens · Sinema Remote Connect Server

Name of the Vulnerable Software and Affected Versions: SINEMA Remote Connect Server versions prior to V3.1 Description: A missing authentication verification for a resource used to change the roles and permissions of a user has been identified. This could allow an attacker to change the permissio...

Code injection

The Views Bulk Operations VBO module 6.x-1.x and 7.x-3.x before 7.x-3.3 for Drupal, when the bulk operation for changing Roles is enabled, allows remote authenticated users to edit user accounts and add arbitrary roles to the accounts by leveraging access to a user account listing view with VBO...

PT-2012-5384 · Openstack · Openstack Keystone

Name of the Vulnerable Software and Affected Versions: OpenStack Keystone versions prior to 2012.1.3 Description: The issue allows remote authenticated users to retain the privileges of revoked roles because existing tokens are not invalidated when roles are granted or revoked. Recommendations: F...

sudo security and bug fix update

1.7.4p5-5 - patch: log failed user role changes Resolves: rhbz665131 1.7.4p5-4 - added includedir /etc/sudoers.d to sudoers Resolves: rhbz615087 1.7.4p5-3 - added !visiblepw option to sudoers Resolves: rhbz688640 1.7.4p5-2 - added patch for rhbz665131 Resolves: rhbz665131 1.7.4p5-1 - rebase to...

openssh security and bug fix update

4.3p2-24 - fixed audit log injection problem CVE-2007-3102 248059 4.3p2-23 - document where the nss certificate and token dbs are looked for 4.3p2-22 - experimental support for PKCS11 tokens through libnss3 183423 4.3p2-21 - fix an information leak in Kerberos password authentication CVE-2006-505...