16 matches found
EUVD-2021-27068
Malware in sbrugna...
EUVD-2022-33588
Malicious code in bioql PyPI...
EUVD-2022-28101
Malicious code in bioql PyPI...
Mattermost fails to properly invalidate personal access tokens upon user deactivation
Mattermost versions 10.7.x = 10.7.0, 10.6.x = 10.6.2, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previous...
CVE-2022-39308
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...
CVE-2022-22990
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts...
BIT-ENVOY-2022-29226 Trivial authentication bypass in Envoy
Envoy is a cloud-native high-performance proxy. In versions prior to 1.22.1 the OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current...
CVE-2022-39308 GoCD API authentication of user access tokens subject to timing attack during comparison
GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...
Insecure Session
github.com/flyteorg/flyteadmin is vulnerable to insecure session. The vulnerability exists in ValidateAccessToken function in resourceserver.go because the access token keys are not properly validated which allows an attacker to access the server using expired tokens...
CVE-2022-31013
Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await t...
Authentication flaw
Chat Server is the chat server for Vartalap, an open-source messaging application. Versions 2.3.2 until 2.6.0 suffer from a bug in validating the access token, resulting in authentication bypass. The function this.authProvider.verifyAccessKey is an async function, as the code is not using await t...
CVE-2021-3814
It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure...
CVE-2022-22990
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts...
Authentication flaw
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts...
CVE-2022-22990 Limited authentication bypass vulnerability on Western Digital My Cloud devices
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts...
SUSE-SU-2018:2608-1 Security update for cobbler
This update for cobbler fixes the following issues: Security issues fixed: - Forbid exposure of private methods in the API CVE-2018-10931, CVE-2018-1000225, bsc1104287, bsc1104189, bsc1105442 - Check access token when calling 'modifysetting' API endpoint bsc1104190, bsc1105440, CVE-2018-1000226...