306 matches found
GHSA-23X9-8HXR-978C OpenStack Identity (Keystone) Trustee token revocations does not work with memcache backend
The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...
OpenStack Identity Keystone Improper Access Control
The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...
GHSA-J4P3-2M2H-CV5F Cloud Foundry UAA Denial of Service through client token revocation endpoint
An issue was discovered in Cloud Foundry Foundation cf-release all versions prior to v279 and UAA 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1. In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other...
CVE-2022-22332
IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker to impersonate another user due to missing revocation mechanism for the JWT token. IBM X-Force ID: 219131...
IBM Sterling Partner Engagement Manager 安全漏洞
IBM Sterling Partner Engagement Manager is an automation management tool from IBM, U.S.A. An access control error vulnerability exists in IBM Sterling Partner Engagement Manager version 6.2.0, which stems from the lack of a revocation mechanism for JWT tokens. An attacker could exploit the...
CVE-2022-22332
IBM Sterling Partner Engagement Manager 6.2.0 could allow an attacker to impersonate another user due to missing revocation mechanism for the JWT token. IBM X-Force ID: 219131...
GO-2021-0109 Improper handling of token revocation in github.com/ory/fosite
Due to improper error handling, an error with the underlying token storage may cause a user to believe a token has been successfully revoked when it is in fact still valid. An attackers ability to exploit this relies on an ability to trigger errors in the underlying storage...
Insecure Error Handling
github.com/ory/fosite does not securely handle errors from the server. The TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid and may lead to unexpected behaviors in the server...
CVE-2020-15223 Ignored storage errors on token revokation in ORY Fosite
In ORY Fosite the security first OAuth2 & OpenID Connect framework for Go before version 0.34.0, the TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can...
PT-2020-14290 · Ory · Ory Fosite
Name of the Vulnerable Software and Affected Versions: ORY Fosite versions prior to 0.34.0 Description: The issue arises from improper error handling in the TokenRevocationHandler, which ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful...
Kubernetes: Github test clientID and clientSecret leaked
Report Submission Form Summary: A github clientID and clientSecret for an oauth app are being leaked on github Description While looking for anything that is interesting on github I a clientID and clientSecret for a github oauth app hardcoded. While they have been removed a long time ago, they ar...
Improper Invalidation Of Token
openstack-keystone is vulnerable to access bypass attacks. The vulnerability exists as the memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not inclu...
GHSA-5P9F-55J8-922M Moderate severity vulnerability that affects doorkeeper
Withdrawn, accidental duplicate publish. The Doorkeeper gem before 4.2.0 for Ruby might allow remote attackers to conduct replay attacks or revoke arbitrary tokens by leveraging failure to implement the OAuth 2.0 Token Revocation specification...
GHSA-694M-JHR9-PF77 Doorkeeper subject to Incorrect Permission Assignment
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry...
Doorkeeper subject to Incorrect Permission Assignment
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry...
FreeBSD : rubygem-doorkeeper -- token revocation vulnerability (e309a2c7-598b-4fa6-a398-bc72fbd1d167)
NVD reports : Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry. C Tenable Network Security, Inc. The descriptive text...
Improper Token Revocation
doorkeeper improperly handles token revocation. The vulnerability exists in the authorized method found in the token revocation's API, resulting in incorrect access control where the access token for the public OAuth applications are not revoked...
Improper access control
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry...
CVE-2018-1000211
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry...
CVE-2018-1000211
Doorkeeper version 4.2.0 and later contains a Incorrect Access Control vulnerability in Token revocation API's authorized method that can result in Access tokens are not revoked for public OAuth apps, leaking access until expiry...