Lucene search
K

18 matches found

RedhatCVE
RedhatCVE
added yesterday7 views

CVE-2026-54430

A flaw was found in liboauth2 in the oauth2josejwksawsalbresolve function. The AWS ALB JWT verifier reads the signer and kid fields from the unverified JWT header. When signer matches the configured ARN, kid is appended to the ALB base URL without path sanitization, and an HTTP GET request is...

5.8CVSS5.8AI score0.00121EPSS
Exploits0References6
NVD
NVD
added 2 days ago10 views

CVE-2026-54430

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2josejwksawsalbresolve function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to albbaseurl without URL encoding or path sanitization, and the HTT...

5.1CVSS0.00121EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/03/12 2:50 p.m.7 views

@backstage/plugin-auth-backend (>=0.0.0-nightly-20240122021809 <=0.22.11), @backstage/plugin-auth-backend-module-aws-alb-provider (>=0.0.0-nightly-20240126021148 <=0.4.14-next.1) +7 more potentially affected by CVE-2026-32235 via @backstage/plugin-auth-backend (>=0.0.0-nightly-20240929023448 <=0.27.1-next.2)

@backstage/plugin-auth-backend NPM version =0.0.0-nightly-20240929023448, =0.0.0-nightly-20240122021809, =0.0.0-nightly-20240126021148, =0.0.0-nightly-20240122021809, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =1.0.0, =1.2.0 -...

5.9CVSS5.8AI score0.00139EPSS
Exploits0
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-4584

Malicious code in bioql PyPI...

8.2CVSS6.3AI score0.00321EPSS
Exploits0References4
Veracode
Veracode
added 2025/02/25 7:22 a.m.6 views

Authentication Bypass

github.com/hashicorp-forge/hermes is vulnerable to Authentication Bypass. The vulnerability is due to improper validation of JWT when using the AWS ALB authentication mode, potentially allowing an authentication bypass attack...

8.2CVSS7.4AI score0.00321EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/22 1:23 a.m.10 views

CVE-2025-1293

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

8.2CVSS7AI score0.00321EPSS
Exploits0References1
OSV
OSV
added 2025/02/20 3:32 a.m.12 views

GHSA-VXM9-8MFW-VC6G Hermes improperly validates a JWT

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

8.2CVSS7AI score0.00321EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2025/02/20 3:32 a.m.36 views

Hermes improperly validates a JWT

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

8.2CVSS8.3AI score0.00321EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2025/02/20 1:15 a.m.17 views

CVE-2025-1293

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

8.2CVSS0.00321EPSS
Exploits0References1
OSV
OSV
added 2025/02/20 1:15 a.m.6 views

CVE-2025-1293

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

8.2CVSS6.8AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/02/20 12:28 a.m.9 views

CVE-2025-1293 HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

8.2CVSS8.3AI score0.00321EPSS
Exploits0References1
CVE
CVE
added 2025/02/20 12:28 a.m.102 views

CVE-2025-1293

Hermes versions up to 0.4.0 improperly validated JWTs when using AWS ALB authentication, potentially allowing authentication bypass. Root cause: JWT validation flaw in the AWS ALB auth flow. Impact per CVE: authentication bypass with high severity (CVSSv3.1 base score 8.2). Affected versions: up ...

8.2CVSS8.3AI score0.00321EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2025/02/20 12:28 a.m.31 views

CVE-2025-1293 HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

8.2CVSS0.00321EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/02/12 4:16 p.m.6 views

CVE-2025-25182 Stroom Authentication/Authorization Bypass when using AWS ALB

Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authentication bypass to a Stroom system when configured with ALB and installed in a way that the...

9.4CVSS9.7AI score0.00643EPSS
Exploits0References2
OSV
OSV
added 2024/10/28 3:20 p.m.26 views

GO-2024-3210 Lack of JWT issuer and signer validation in github.com/awslabs/aws-alb-route-directive-adapter-for-istio

Lack of JWT issuer and signer validation in github.com/awslabs/aws-alb-route-directive-adapter-for-istio...

7.5CVSS8.5AI score0.00358EPSS
Exploits0References3
Cvelist
Cvelist
added 2024/10/21 11:19 p.m.31 views

CVE-2024-8901 Lack of JWT issuer and signer validation

The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer...

7.5CVSS0.00358EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/10/21 11:19 p.m.13 views

CVE-2024-8901 Lack of JWT issuer and signer validation

The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer...

7.5CVSS7.8AI score0.00358EPSS
Exploits0References2
Atlassian
Atlassian
added 2017/10/01 11:57 p.m.25 views

HTTP Client in JIRA does not accept RFC6265 compliant date format in "Expires" cookie header

When using AWS Application Load Balancer, the following WARN log messages are shown in the logs, as JIRA does not understand the "Expires" header used for sticky sessions. code:java 2017-09-27 01:44:47,292 HealthCheck:thread-7 WARN o.a.h.client.protocol.ResponseProcessCookies Invalid cookie heade...

0.2AI score
Exploits0Affected Software1
Rows per page
Query Builder