@backstage/plugin-auth-backend (>=0.0.0-nightly-20240122021809 <=0.22.11), @backstage/plugin-auth-backend-module-aws-alb-provider (>=0.0.0-nightly-20240126021148 <=0.4.14-next.1) +7 more potentially affected by CVE-2026-32235 via @backstage/plugin-auth-backend (>=0.0.0-nightly-20240929023448 <=0.27.1-next.2)

@backstage/plugin-auth-backend NPM version =0.0.0-nightly-20240929023448, =0.0.0-nightly-20240122021809, =0.0.0-nightly-20240126021148, =0.0.0-nightly-20240122021809, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =1.0.0, =1.2.0 -...

EUVD-2025-4584

Malicious code in bioql PyPI...

Authentication Bypass

github.com/hashicorp-forge/hermes is vulnerable to Authentication Bypass. The vulnerability is due to improper validation of JWT when using the AWS ALB authentication mode, potentially allowing an authentication bypass attack...

CVE-2025-1293

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

GHSA-VXM9-8MFW-VC6G Hermes improperly validates a JWT

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

Hermes improperly validates a JWT

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

CVE-2025-1293

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

CVE-2025-1293

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

CVE-2025-1293

Hermes versions up to 0.4.0 improperly validated JWTs when using AWS ALB authentication, potentially allowing authentication bypass. Root cause: JWT validation flaw in the AWS ALB auth flow. Impact per CVE: authentication bypass with high severity (CVSSv3.1 base score 8.2). Affected versions: up ...

CVE-2025-1293 HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

CVE-2025-1293 HashiCorp Hermes Improperly Validates AWS ALB JWTs, which May Lead to Authentication Bypass

Hermes versions up to 0.4.0 improperly validated the JWT provided when using the AWS ALB authentication mode, potentially allowing for authentication bypass. This vulnerability, CVE-2025-1293, was fixed in Hermes 0.5.0...

CVE-2025-25182 Stroom Authentication/Authorization Bypass when using AWS ALB

Stroom is a data processing, storage and analysis platform. A vulnerability exists starting in version 7.2-beta.53 and prior to versions 7.2.24, 7.3-beta.22, 7.4.4, and 7.5-beta.2 that allows authentication bypass to a Stroom system when configured with ALB and installed in a way that the...

GO-2024-3210 Lack of JWT issuer and signer validation in github.com/awslabs/aws-alb-route-directive-adapter-for-istio

Lack of JWT issuer and signer validation in github.com/awslabs/aws-alb-route-directive-adapter-for-istio...

CVE-2024-8901 Lack of JWT issuer and signer validation

The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer...

CVE-2024-8901 Lack of JWT issuer and signer validation

The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer...

HTTP Client in JIRA does not accept RFC6265 compliant date format in "Expires" cookie header

When using AWS Application Load Balancer, the following WARN log messages are shown in the logs, as JIRA does not understand the "Expires" header used for sticky sessions. code:java 2017-09-27 01:44:47,292 HealthCheck:thread-7 WARN o.a.h.client.protocol.ResponseProcessCookies Invalid cookie heade...