CVE-2025-47884

In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a...

CVE-2025-46345

Auth0 Account Link Extension is an extension aimed to help link accounts easily. Versions 2.3.4 to 2.6.6 do not verify the signature of the provided JWT. This allows the user the ability to supply a forged token and the potential to access user information without proper authorization. This issue...

CVE-2025-46345 Auth0 Account Link Extension JWT Invalid Signature Validation

Auth0 Account Link Extension is an extension aimed to help link accounts easily. Versions 2.3.4 to 2.6.6 do not verify the signature of the provided JWT. This allows the user the ability to supply a forged token and the potential to access user information without proper authorization. This issue...

CVE-2025-30206

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers ...

GHSA-J752-CJCJ-W847 Dpanel's hard-coded JWT secret leads to remote code execution

Summary The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. Details The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly...

CVE-2025-30144

fast-jwt provides fast JSON Web Token JWT implementation. Prior to 5.0.6, the fast-jwt library does not properly validate the iss claim based on the RFC 7519. The iss issuer claim validation within the fast-jwt library permits an array of strings as a valid iss value. This design flaw enables a...

Linux Distros Unpatched Vulnerability : CVE-2025-24032

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PAM-PKCS11 is a Linux-PAM login module that allows a X.509 certificate based user login. Prior to version 0.6.13, if certpolicy is set to none the default value...

OESA-2025-1209 ceph security update

Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage. Security Fixes: A vulnerability in the Ceph Rados Gateway RadosGW OIDC provider allows attackers to bypass JWT signature verification by...

OESA-2025-1208 ceph security update

Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage. Security Fixes: A vulnerability in the Ceph Rados Gateway RadosGW OIDC provider allows attackers to bypass JWT signature verification by...

OESA-2025-1207 ceph security update

Ceph is a massively scalable, open-source, distributed storage system that runs on commodity hardware and delivers object, block and file system storage. Security Fixes: A vulnerability in the Ceph Rados Gateway RadosGW OIDC provider allows attackers to bypass JWT signature verification by...

CVE-2024-55927

A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading to unauthorized access to sensitive functions...

PT-2025-3155 · Xerox · Xerox Workplace Suite

Name of the Vulnerable Software and Affected Versions: Xerox Workplace Suite versions prior to 5.6.701.9 Description: A vulnerability in Xerox Workplace Suite arises from flawed token generation and the use of hard-coded keys. These weaknesses allow attackers to predict or forge tokens, leading t...

Navidrome Stores JWT Secret in Plaintext in navidrome.db

Navidrome stores the JWT secret in plaintext in the navidrome.db database file under the property table. This practice introduces a security risk because anyone with access to the database file can retrieve the secret. The JWT secret is critical for the authentication and authorization system. If...

ceph: rhceph-container: Authentication bypass in CEPH RadosGW

A vulnerability in the Ceph Rados Gateway RadosGW OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm alg. This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid token...

CVE-2024-48916

A vulnerability in the Ceph Rados Gateway RadosGW OIDC provider allows attackers to bypass JWT signature verification by supplying a token with "none" as the algorithm alg. This occurs because the implementation fails to enforce strict signature validation, enabling attackers to forge valid token...

DataEase 信任管理问题漏洞

DataEase is an open source data visualization and analysis tool from DataEase Open Source. It is used to help users quickly analyze data and gain insight into business trends for business improvement and optimization. A trust management issue vulnerability exists in DataEase versions prior to...

PT-2024-35161 · Dataease · Dataease

Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 2.10.2 Description: The issue allows attackers to forge JWT and take over services due to the JWT secret being hardcoded in the code. Additionally, the UID and OID are also hardcoded. This has been fixed in version...

CVE-2024-47073 Dataease arbitrary interface access vulnerability

DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions a the lack of signature verification of jwt tokens allows attackers to forge jwts which then allow access to any interface. The...

PT-2024-32390 · Dataease · Dataease

Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 2.10.2 Description: The issue is related to the lack of signature verification of jwt tokens, which allows attackers to forge jwt tokens and gain access to any interface. There are no known workarounds for this issu...

NeuVector 安全漏洞

NeuVector is an end-to-end container security platform from US-based NeuVector. The platform includes features such as image vulnerability management, access control and container process/filesystem protection. A security vulnerability exists in previous versions of NeuVector...