Lucene search
+L

25 matches found

susecve
susecve
added yesterday4 views

SUSE CVE-2025-3879

Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...

7.5CVSS6.7AI score0.00351EPSS
Exploits0References5
osv
osv
added 2026/06/25 10:34 p.m.5 views

GO-2026-5544 opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay in github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension

opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay in github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension...

8.1CVSS5.8AI score0.00222EPSS
Exploits1References2
osv
osv
added 2026/05/13 8:12 p.m.4 views

CVE-2026-42602 azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay

azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any...

8.1CVSS5.9AI score0.00222EPSS
Exploits1References3
attackerkb
attackerkb
added 2026/05/13 8:12 p.m.7 views

CVE-2026-42602

azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any...

8.1CVSS5.8AI score0.00222EPSS
Exploits1References2Affected Software1
ptsecurity
ptsecurity
added 2026/05/12 12:0 a.m.15 views

PT-2026-40139

Name of the Vulnerable Software and Affected Versions Azure SDK for Java affected versions not specified Description Improper authentication in the Azure SDK for Java allows an unauthorized attacker to bypass a security feature over a network. Recommendations At the moment, there is no informatio...

9.1CVSS6AI score0.00479EPSS
Exploits0References6
snyk
snyk
added 2026/05/06 10:32 p.m.8 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the azureauthextension method. An attacker can gain unauthorized access to telemetry ingestion endpoints by replaying a valid Azure access token for any scope the configured identity c...

8.1CVSS5.8AI score0.00222EPSS
Exploits1References3
osv
osv
added 2026/05/06 10:32 p.m.6 views

GHSA-PJV4-3C63-699F opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay

Summary A server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azureauth. The extension's Authenticate metho...

8.1CVSS5.8AI score0.00222EPSS
Exploits1References3
github
github
added 2026/05/06 10:32 p.m.11 views

opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay

Summary A server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azureauth. The extension's Authenticate metho...

8.1CVSS5.8AI score0.00222EPSS
Exploits1References3Affected Software1
ptsecurity
ptsecurity
added 2026/05/06 12:0 a.m.26 views

PT-2026-38281

Name of the Vulnerable Software and Affected Versions azureauthextension versions 0.124.0 through 0.150.0 Description A server-side authentication bypass exists in the azureauthextension when used by an OpenTelemetry receiver with auth: azure auth. The Authenticate function fails to validate...

8.1CVSS5.8AI score0.00222EPSS
Exploits1References7
bdu_fstec
bdu_fstec
added 2025/07/16 12:0 a.m.9 views

The vulnerability of the Azure Auth component of the Vault Enterprise platform for archiving corporate information allows a perpetrator to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of Azure Auth component in the Vault Enterprise archiving platform relates to improper authorization. Exploiting this vulnerability could allow a malicious actor to compromise the confidentiality, integrity, and accessibility of the protected information...

7.1CVSS6.8AI score0.00351EPSS
Exploits0References3Affected Software3
cvelist
cvelist
added 2025/05/02 4:15 p.m.34 views

CVE-2025-3879 Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login

Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...

6.6CVSS0.00351EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2025/05/02 4:15 p.m.10 views

CVE-2025-3879 Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login

Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...

6.6CVSS6.5AI score0.00351EPSS
Exploits0References1
cve
cve
added 2025/05/02 4:15 p.m.130 views

CVE-2025-3879

CVE-2025-3879 affects Vault (Vault Community and Vault Enterprise) where the Azure Auth method did not correctly validate claims in the Azure-issued token, allowing potential bypass of the bound_locations restriction on login. The issue is described across multiple sources and is evidenced by OSV...

8.8CVSS6.5AI score0.00351EPSS
Exploits0References1Affected Software1
osv
osv
added 2025/05/02 4:15 p.m.4 views

CVE-2025-3879 Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login

Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. Fixed in Vault Community Edition 1.19.1 and Vault Enterprise 1.19.1, 1.18.7, 1.17.14, 1.16.18...

6.6CVSS6.8AI score0.00351EPSS
Exploits0References4
hashicorp
hashicorp
added 2025/05/02 2:52 p.m.7 views

Vault’s Azure Authentication Method bound_location Restriction Could be Bypassed on Login

Summary Vault Community, Vault Enterprise “Vault” Azure Auth method did not correctly validate the claims in the Azure-issued token, resulting in the potential bypass of the boundlocations parameter on login. This vulnerability, identified as CVE-2025-3879, is fixed in Vault Community Edition...

8.8CVSS6.7AI score0.00351EPSS
Exploits0Affected Software1
veracode
veracode
added 2025/03/17 5:53 p.m.12 views

Improper Authentication

Ratify is vulnerable to Improper Authentication. The vulnerability is due to insufficient registry validation due to the Azure authentication providers failing to verify that the target registry is an Azure Container Registry ACR before exchanging an Entra ID EID token, potentially exposing token...

7.2CVSS6.8AI score0.00445EPSS
Exploits0References4Affected Software2
osv
osv
added 2025/03/13 2:46 p.m.12 views

GO-2025-3511 Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries in github.com/deislabs/ratify

Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries in github.com/deislabs/ratify...

7.2CVSS6.8AI score0.00445EPSS
Exploits0References4
snyk
snyk
added 2025/03/11 3:27 p.m.3 views

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...

8.2CVSS7AI score0.00445EPSS
Exploits0References2
osv
osv
added 2025/03/11 3:27 p.m.8 views

GHSA-44F7-5FJ5-H4PX Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries

Impact In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry ACR. The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure...

7.2CVSS6.9AI score0.00445EPSS
Exploits0References6
github
github
added 2025/03/11 3:27 p.m.18 views

Ratify Azure authentication providers can leak authentication tokens to non-Azure container registries

Impact In a Kubernetes environment, Ratify can be configured to authenticate to a private Azure Container Registry ACR. The Azure workload identity and Azure managed identity authentication providers are configured in this setup. Users that configure a private ACR to be used with the Azure...

7.2CVSS6.9AI score0.00445EPSS
Exploits0References6Affected Software2
Rows per page
Query Builder