GHSA-XHW6-HJC9-679M Pac4j token validation bypass if OpenID Connect provider supports none algorithm

If an OpenID Connect provider supports the “none” algorithm i.e., tokens with no signature, pac4j v5.3.0 and prior does not refuse it without an explicit configuration on its side or for the “idtoken” response type which is not secure and violates the OpenID Core Specification. The "none" algorit...

Pac4j token validation bypass if OpenID Connect provider supports none algorithm

If an OpenID Connect provider supports the “none” algorithm i.e., tokens with no signature, pac4j v5.3.0 and prior does not refuse it without an explicit configuration on its side or for the “idtoken” response type which is not secure and violates the OpenID Core Specification. The "none" algorit...

CVE-2021-40006

CVE-2021-40006 is linked in connected documents to Huawei HarmonyOS Wearables encryption-related vulnerability, described as a design/logic flaw in the security algorithm component with potential confidentiality impact. The explicit details across sources confirm a design defect affecting confide...

CVE-2021-40006

Vulnerability of design defects in the security algorithm component. Successful exploitation of this vulnerability may affect confidentiality...

Insecure Token

Pac4j has insecure token. The vulnerability exists due to an insecure validation of ID token with "none" algorithm allowing an attacker to bypass the token validation by injecting a maliciously crafted ID token by setting the alg key = "none"...

PT-2022-11130 · Huawei · Emui +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned. Description: The issue concerns design defects in the security algorithm component. Successful exploitation may affect confidentiality. Recommendations: At the moment, there is no information...

GHSA-5R5W-H76P-M726 Use of a Broken or Risky Cryptographic Algorithm in Max Mazurov Maddy

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information...

Use of a Broken or Risky Cryptographic Algorithm in Max Mazurov Maddy

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information...

Use of a Broken or Risky Cryptographic Algorithm in crypto2

The implementation does not enforce alignment requirements on input slices while incorrectly assuming 4-byte alignment through an unsafe call to std::slice::fromrawpartsmut, which breaks the contract and introduces undefined behavior. This affects Chacha20 encryption and decryption in crypto2...

CVE-2021-44878

If an OpenID Connect provider supports the "none" algorithm i.e., tokens with no signature, pac4j v5.3.0 and prior does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorit...

CVE-2021-45458

Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their passwor...

CVE-2021-44878

If an OpenID Connect provider supports the "none" algorithm i.e., tokens with no signature, pac4j v5.3.0 and prior does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorit...

Design/Logic Flaw

If an OpenID Connect provider supports the "none" algorithm i.e., tokens with no signature, pac4j v5.3.0 and prior does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorit...

lockWithPermit() function allows for replay attacks and signature malleability

Handle jayjonah8 Vulnerability details Impact In XDEFIDistribution.sol the lockWithPermit function calls permit on the XDEFI token. The problem with simply using permit alone for this is the message that is signed by the owner using the ECDSA algorithm. The message only contains the receiver...

ENC DataVault Encryption Issues Vulnerabilities

Enc Security Enc DataVault is a solution from the Dutch company Enc Security. Turn any Usb drive into a secure removable disk for important files. ENC DataVault suffers from an encryption issue vulnerability that stems from ENC DataVault 7.1.1W using an incorrect encryption algorithm, which can b...

CVE-2021-42583

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information...

CVE-2021-42583

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information...

Design/Logic Flaw

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information...

CVE-2021-42583

A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy before 0.5.2, which is an unnecessary risk that may result in the exposure of sensitive information...

CVE-2021-42583

Max Mazurov Maddy (github.com/foxcpp/maddy) is affected by a broken or risky cryptographic algorithm prior to version 0.5.2. The issue stems from the verify.go code-path in auth.shadow, where MD5-based hashing can lead to information disclosure. Multiple sources (CVE-2021-42583, GHSA-5R5W-H76P-M7...