Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Impact An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured...

GHSA-G4CF-XJ29-WQQR Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Impact An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured...

GHSA-PFJ7-WV7C-22PR Parse Server has an auth provider validation bypass on login via partial authData

Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid sessi...

EUVD-2022-3246

Malicious code in bioql PyPI...

CVE-2024-25618

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers CAS, SAML, OIDC to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...

GHSA-2HJH-495W-HMXC Withdrawn Advisory: Sylius allows unrestricted brute-force attacks on user accounts

Withdrawn Advisory This advisory has been withdrawn because it is not a vulnerability in the Sylius framework. This link is maintained to preserve external references. Original Description A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks ...

BIT-MASTODON-2024-25618 External OpenID Connect Account Takeover by E-Mail Change in mastodon

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers CAS, SAML, OIDC to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication...

CVE-2024-25618

CVE-2024-25618 (Mastodon) describes an account takeover risk when external identity providers (CAS, SAML, OIDC) attach new identities to existing Mastodon users via shared email addresses. The issue occurs if the provider allows changing a user’s email (or supports multiple providers) and Mastodo...

CVE-2024-25618 External OpenID Connect Account Takeover by E-Mail Change in mastodon

Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers CAS, SAML, OIDC to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication...

PT-2024-2727 · Mastodon · Mastodon

Name of the Vulnerable Software and Affected Versions: Mastodon versions prior to 3.5.18 Mastodon versions prior to 4.0.14 Mastodon versions prior to 4.1.14 Mastodon versions prior to 4.2.6 Description: The issue is related to the implementation of CAS, SAML, and OpenID Connect protocols in...

Rancher 'Audit Log' leaks sensitive information

Impact A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. Rancher Audit Logging is an opt-in feature, only deployments that have it enabled and have AUDITLEVEL set to 1 or above are impacted by this issue. The leaks might be caught in the...

A Secure User Authentication Method – Planning is More Important than Ever

When considering authentication providers, many organizations consider the ease of configuration, ubiquity of usage, and technical stability. Organizations cannot always be judged on those metrics alone. There is an increasing need to evaluate company ownership, policies and the stability, or...

OAuth2 Proxy Input Validation Error Vulnerability

OAuth2 Proxy is a reverse proxy that provides authentication with Google, Github, or other providers. A security vulnerability exists in OAuth2 Proxy that stems from allowing domains that end in a manner similar to the expected domain to be used as redirects...

GHSA-6W3V-66MJ-2QM6 Moderate severity vulnerability that affects org.apache.qpid:apache-qpid-broker-j

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQ...

Moderate severity vulnerability that affects org.apache.qpid:apache-qpid-broker-j

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQ...

CVE-2018-1298

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQ...

CVE-2018-1298

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQ...

Authentication flaw

A Denial of Service vulnerability was found in Apache Qpid Broker-J 7.0.0 in functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91 and 0-10 when PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows unauthenticated attacker to crash the broker instance. AMQ...

CVE-2018-1298

CVE-2018-1298 describes a Denial of Service in Apache Qpid Broker-J 7.0.0 related to authentication of AMQP connections. The issue occurs when using PLAIN or XOAUTH2 SASL mechanisms during SASL negotiation, where unauthenticated attackers may crash the broker. Affected scope includes AMQP protoco...