Lucene search
K

67 matches found

CVE
CVE
added 2025/06/26 4:46 p.m.115 views

CVE-2025-52477

CVE-2025-52477 affects Octo-STS, a GitHub App acting as a Security Token Service for the GitHub API. The vulnerability is an unauthenticated SSRF that can be triggered by abusing fields in OpenID Connect tokens, causing internal network requests and potential exposure of sensitive information in ...

8.6CVSS7.1AI score0.0041EPSS
Exploits0References3
CNNVD
CNNVD
added 2025/06/26 12:0 a.m.5 views

octo-sts 代码问题漏洞

octo-sts is a Chainguard's GitHub security token service open-sourced by octo-sts. A code issue vulnerability exists in octo-sts versions prior to v0.5.3, which stems from an unauthenticated server-side request forgery vulnerability...

8.6CVSS6.8AI score0.0041EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2025/04/24 3:24 a.m.4 views

SUSE CVE-2025-32963

MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the spec.audiences field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it...

6.9CVSS6.9AI score0.0054EPSS
Exploits0References3
BDU FSTEC
BDU FSTEC
added 2024/08/07 12:0 a.m.6 views

The vulnerability of the AssumeRoleWithWebIdentity request of the Security Token Service (AWS STS) – a single API for interacting with object storage services and local files in Apache Arrow Rust Object Store – allows attackers to circumvent security restrictions and gain unauthorized access to protected information.

The vulnerability of the AssumeRoleWithWebIdentity request of the Security Token Service AWS STS – a single API for interacting with object storage services and local files – is related to insufficient protection of registration data. Exploiting this vulnerability allows an attacker to bypass...

7.8CVSS5.4AI score0.0071EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2024/05/10 7:5 p.m.73 views

CVE-2024-34079

CVE-2024-34079 affects the octo-sts GitHub App (Security Token Service for the GitHub API). The issue enables excessive resource consumption, potentially causing denial of service when handling high traffic volumes. Public sources describe a DoS risk from unbounded resource usage or missing input...

3.7CVSS6.5AI score0.00581EPSS
Exploits0References2
Code423n4
Code423n4
added 2023/07/21 12:0 a.m.5 views

Interchain token transfer can be Dossed Due To Flow Limit

Lines of code Vulnerability details Impact A large token holder can send back and forth tokens, using the flow limit to the capacity in start of every epoch making the system unusable for everyone else. Proof of Concept Interchain tokens can be transferred from one chain to another via the token...

7AI score
Exploits0
CNNVD
CNNVD
added 2022/12/08 12:0 a.m.3 views

JetBrains TeamCity 代码问题漏洞

JetBrains TeamCity is a set of distributed build management and continuous integration tools from the Czech company JetBrains. The tool provides features such as continuous unit testing, code quality analysis and build issue analysis reports. A security vulnerability exists in JetBrains TeamCity...

5.3CVSS5.8AI score0.00469EPSS
Exploits0References2
OSV
OSV
added 2022/05/13 1:9 a.m.1 views

GHSA-38X2-FP9M-87MX Improper Input Validation in Apache CXF

The SecurityTokenService STS in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token...

4.3CVSS7.2AI score0.07405EPSS
Exploits0References17
NVD
NVD
added 2021/10/13 2:15 p.m.31 views

CVE-2021-41137

Minio is a Kubernetes native application for cloud storage. All users on release RELEASE.2021-10-10T16-53-30Z are affected by a vulnerability that involves bypassing policy restrictions on regular users. Normally, checkKeyValid should return owner true for rootCreds. In the affected version, poli...

8.8CVSS0.01244EPSS
Exploits0References4
Citrix
Citrix
added 2021/07/29 12:0 a.m.8 views

How to Configure Office365 for Single Sign-on with NetScaler as SAML Identity Provider

This article describes how to configure Office365 for Single Sign-on with NetScaler as SAML Identity Provider and this article also provides detailed steps to configure Windows Azure to use NetScaler as a Security Token Service STS/ Identity Provider IDP...

7.1AI score
Exploits0
RedHat Linux
RedHat Linux
added 2020/06/11 7:9 a.m.2 views

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

7.5CVSS7.3AI score0.0606EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/05/28 3:58 p.m.3 views

cxf: OpenId Connect token service does not properly validate the clientId

A flaw was found in cxf in versions prior to 3.2.11 and 3.3.4. The access token services do not properly validate that an authenticated principal is equal to that of the supplied clientId parameter allowing a malicious client to use an authorization code that has been issued to a different client...

9.8CVSS7.3AI score0.13836EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/05/11 8:19 p.m.7 views

cxf: OpenId Connect token service does not properly validate the clientId

Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore JKS/PKCS12 by specifing the...

7.5CVSS7.3AI score0.0606EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2020/04/10 12:0 a.m.31 views

CVE-2020-3952 - VMware vCenter Server vmdir Information Disclosure

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller PSC, does not correctly implement access controls. Recent assessments: wvu-r7 at April 16, 2020 1:25pm UTC reported: Technical details on the vuln are out:...

9.8CVSS8.9AI score0.90384EPSS
In wildExploits20References3
Veeam
Veeam
added 2020/02/13 12:0 a.m.16 views

Unable to Add Workers to Bahrain or Hong Kong Regions

Challenge When adding a worker instance to the Bahrain or Hong Kong regions, the following error occurs: AWS was not able to validate the provided access credentials. Cause Veeam Backup for AWS uses the Global STS endpoint. Solution To add a worker to the Bahrain or Hong Kong regions, do the...

6.8AI score
Exploits0Affected Software1
CNVD
CNVD
added 2019/11/14 12:0 a.m.4 views

Apache CXF OpenId connect token service information disclosure vulnerability

Apache CXF is an open source Web services framework . A security vulnerability in the Apache CXF OpenId connect token service implementation allows remote attackers to exploit the vulnerability to submit special requests that can steal authentication code distributed to other clients for...

9.8CVSS9.5AI score0.13836EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2019/11/05 9:33 p.m.1 views

containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure

The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launc...

6.4CVSS7.3AI score0.01604EPSS
Exploits0References4
CNVD
CNVD
added 2018/06/06 12:0 a.m.6 views

IBM InfoSphere Information Server Information Disclosure Vulnerability (CNVD-2018-11080)

IBM InfoSphere Information Server is the market-leading data integration platform that includes a range of products that enable you to understand, cleanse, monitor, transform and deliver data and collaborate to bridge the gap between business and IT. An information disclosure vulnerability exists...

5.9CVSS6.3AI score0.01499EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2018/05/22 4:52 p.m.5 views

cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens

It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service STS. This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token...

7.5CVSS7.2AI score0.06827EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2017/08/10 11:3 p.m.7 views

cxf: CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens

It was found that the token cacher in Apache cxf uses a flawed way of caching tokens that are associated with the delegation token received from Security Token Service STS. This vulnerability could allow an attacker to craft a token which could return an identifier corresponding to a cached token...

7.5CVSS7.2AI score0.06827EPSS
Exploits0References5
Rows per page
Query Builder