Lucene search
K

62 matches found

Positive Technologies
Positive Technologies
added 2022/04/21 12:0 a.m.4 views

PT-2022-15749 · Spring · Spring Security Oauth

Name of the Vulnerable Software and Affected Versions: Spring Security OAuth versions 2.5.x prior to 2.5.2 Spring Security OAuth older unsupported versions Description: The issue is a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client application. ...

6.5CVSS9.2AI score0.01199EPSS
Exploits0References8
BDU FSTEC
BDU FSTEC
added 2021/12/08 12:0 a.m.3 views

The vulnerability of MasterCard Tokenisation Service (MDES) and Visa Tokenisation Service (VTS) lies in the possibility of arbitrary modification of the “Amount” field in the Authorization Request ISO 8583 packet. This allows attackers to use cryptographic algorithms to carry out fraudulent transactions.

The vulnerability of MasterCard Tokenisation Service MDES and Visa Tokenisation Service VTS lies in the possibility of arbitrary modification of the “Amount” field in the Authorisation Request ISO 8583 packet. Exploiting this vulnerability could allow attackers to use cryptographic keys to carry...

4.1CVSS5.6AI score
Exploits0
BDU FSTEC
BDU FSTEC
added 2021/12/08 12:0 a.m.17 views

The vulnerability of MasterCard, Visa, and American Express payment services lies in the insufficient authorization of ARQC cryptographic algorithms generated by Apple Pay, Samsung Pay, and GPay mobile wallets. This allows attackers to use AAC cryptographic algorithms on payment services, thereby enabling them to intercept transactions when the wallet or payment terminal decides to reject a transaction.

The vulnerability of MasterCard, Visa, and American Express tokenization services is related to the insufficient authorization of ARQC cryptographic keys generated by Apple Pay, Samsung Pay, and GPay mobile wallets. Exploiting this vulnerability could allow attackers to use AAC cryptographic keys...

6.8CVSS5.5AI score
Exploits0
BDU FSTEC
BDU FSTEC
added 2021/12/08 12:0 a.m.17 views

The vulnerability of MasterCard Tokenisation Service (MDES) and Visa Tokenisation Service (VTS) lies in the absence of critical fields in the ARQC cryptographic algorithm (such as 9F15 MCC), which allows a malicious actor to disclose protected information.

The vulnerability of MasterCard Tokenisation Service MDES and Visa Tokenisation Service VTS lies in the possibility of arbitrary modification of the “Amount” field in the Authorisation Request ISO 8583 packet. Exploiting this vulnerability could allow a malicious actor to disclose protected...

6.8CVSS5.5AI score
Exploits0
OSV
OSV
added 2021/07/02 6:33 p.m.2 views

GHSA-W9JG-GVGR-354M Resource Exhaustion in Spring Security

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

7.5CVSS6.9AI score0.06001EPSS
Exploits0References12
Github Security Blog
Github Security Blog
added 2021/07/02 6:33 p.m.84 views

Resource Exhaustion in Spring Security

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

7.5CVSS2.6AI score0.06001EPSS
Exploits0References12Affected Software2
NVD
NVD
added 2021/06/29 5:15 p.m.14 views

CVE-2021-22119

Spring Security versions 5.5.x prior to 5.5.1, 5.4.x prior to 5.4.7, 5.3.x prior to 5.3.10 and 5.2.x prior to 5.2.11 are susceptible to a Denial-of-Service DoS attack via the initiation of the Authorization Request in an OAuth 2.0 Client Web and WebFlux application. A malicious user or attacker c...

7.5CVSS0.06001EPSS
Exploits0References9
CVE
CVE
added 2021/06/29 4:15 p.m.181 views

CVE-2021-22119

CVE-2021-22119 affects Spring Security: DoS via initiation of OAuth 2.0 Authorization Requests in Web and WebFlux clients. Affected versions include 5.5.x before 5.5.1, 5.4.x before 5.4.7, 5.3.x before 5.3.10, and 5.2.x before 5.2.11. Impact is denial of service (resource exhaustion) with a singl...

7.5CVSS7.4AI score0.06001EPSS
Exploits0References9Affected Software1
CNNVD
CNNVD
added 2021/02/23 12:0 a.m.8 views

MITREid Connect Security Breach

Michael Stepankin OpenID-Connect-Java-Spring-Server is a GlobalMichael Stepankin open source application that provides the OpenID Connect identity provider and a generic OAuth 2.0 authorization server. A security vulnerability exists in MITREid Connect through 1.3.3, which stems from the insecure...

9.1CVSS7.3AI score0.02222EPSS
Exploits1References4
Prion
Prion
added 2021/02/12 12:15 a.m.18 views

Design/Logic Flaw

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1860 firmware version 1.04B03 WiFi extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the HNAP service, which listens on TCP...

8.3CVSS8.8AI score0.09757EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2019/09/25 8:15 p.m.13 views

CVE-2019-15941

OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an attacker to bypass access control rules via a crafted OpenID Connect authorization request. To be vulnerable, there must exist an OIDC Relaying party within the LemonLDAP configuration with weaker access control rules than the...

9.8CVSS9.2AI score
Exploits0References4
RedHat Linux
RedHat Linux
added 2019/08/08 10:8 a.m.3 views

spring-security-oauth: Privilege escalation by manipulating saved authorization request

Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to 2.2.3, and 2.1 prior to 2.1.3, and 2.0 prior to 2.0.16, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can craft a request to the approval...

9.6CVSS5.8AI score0.02153EPSS
Exploits0References5
OSV
OSV
added 2019/07/26 1:15 p.m.2 views

DEBIAN-CVE-2019-13057

An issue was discovered in the server in OpenLDAP before 2.4.48. When the server administrator delegates rootDN database admin privileges for certain databases but wants to maintain isolation e.g., for multi-tenant deployments, slapd does not properly stop a rootDN from requesting authorization a...

4.9CVSS9.1AI score0.0321EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2019/03/25 4:15 p.m.43 views

Doorkeeper-openid_connect contains Open Redirect

Doorkeeper::OpenidConnect aka the OpenID Connect extension for Doorkeeper 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirecturi field in an OAuth authorization request that results in an error response with the 'openid' scope and a prompt=none value. This allows phishing attacks...

6.1CVSS3.9AI score0.01349EPSS
Exploits0References5Affected Software1
Hacker One
Hacker One
added 2018/10/02 2:24 a.m.88 views

HackerOne: Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session

Hi Team, Summary: I have found an Insufficient Session Expiration on implementation of the new Revoke user session feature of HackerOne here: https://hackerone.com/settings/sessions Description: The new REVOKE session feature will destroy the session of the selected device, that means any request...

6.6AI score
Exploits0
RedHat Linux
RedHat Linux
added 2018/06/07 8:25 a.m.2 views

spring-security-oauth: remote code execution in the authorization process

Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lea...

9.8CVSS8AI score0.08352EPSS
Exploits2References4
seebug.org
seebug.org
added 2018/05/11 12:0 a.m.562 views

RCE with spring-security-oauth2 分析(CVE-2018-1260)

漏洞公告 环境搭建 利用github上已有的demo: git clone https://github.com/wanghongfei/spring-security-oauth2-example.git 确保导入的spring-security-oauth2为受影响版本,以这里为例为2.0.10 进入spring-security-oauth2-example,修改 cn/com/sina/alan/oauth/config/OAuthSecurityConfig.java的第67行: @Override public void...

7.5CVSS1AI score0.08352EPSS
Exploits2
Cvelist
Cvelist
added 2016/01/13 3:0 p.m.33 views

CVE-2015-8466

Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header...

7.3AI score0.02013EPSS
Exploits0References5
CVE
CVE
added 2016/01/13 3:0 p.m.70 views

CVE-2015-8466

CVE-2015-8466 affects OpenStack Swift3 (S3 compatibility) middleware, allowing a remote replay attack when an Authorization request lacks a Date header. The issue is in Swift3 by default up to version 1.9. Public fixes are available in upstream Swift3 release 1.9. Debian lists fixed packages 1.7-...

7.4CVSS7.2AI score0.02013EPSS
Exploits0References5Affected Software1
Debian CVE
Debian CVE
added 2016/01/13 3:0 p.m.21 views

CVE-2015-8466

Removed by vendor...

7.4CVSS7.4AI score0.02013EPSS
Exploits0
Rows per page
Query Builder