CVE-2021-31231

The Alertmanager in Grafana Enterprise Metrics before 1.2.1 and Metrics Enterprise 1.2.1 has a local file disclosure vulnerability when experimental.alertmanager.enable-api is used. The HTTP basic auth passwordfile can be used as an attack vector to send any file content via a webhook. The...

CVE-2021-31231

The CVE affects Grafana Enterprise Metrics versions before 1.2.1 and Grafana Metrics Enterprise 1.2.1. It is a local file disclosure vulnerability triggered when experimental.alertmanager.enable-api is enabled. The HTTP basic auth password_file can be exploited to exfiltrate any file content via ...

PT-2021-7377 · Python +10 · Urllib +10

Name of the Vulnerable Software and Affected Versions: urllib affected versions not specified Description: A flaw in the AbstractBasicAuthHandler class of urllib allows an attacker controlling a malicious HTTP server to trigger a Regular Expression Denial of Service ReDOS during an authentication...

gnome-software and fwupd security, bug fix, and enhancement update

appstream-data 8-20200724 - Regenerate the RHEL metadata to include the EPEL apps too - Resolves: 1844488 8-20200630 - Regenerate the RHEL metadata - Resolves: 1844488 fwupd 1.4.2-4.0.1 - Build with the updated Oracle certificate - Use oraclesecureboot301 as certdir Orabug: 29881368 - Use new...

Server secret was included in static assets and served to clients

Impact Server JWT signing secret was included in static assets and served to clients. This ALLOWS Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface which is unprotected and ALLOWS arbitrary code execution and usually wide-ranging privileges ...

CVE-2020-4071 Timing attack on django-basic-auth-ip-whitelist

In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists on websites where the basic authentication is used or configured, i.e. BASICAUTHLOGIN and BASICAUTHPASSWORD is set. Currently the string comparison between configured credentials and the ones provided by users is...

CVE-2020-4071

CVE-2020-4071 applies to the django-basic-auth-ip-whitelist package prior to version 0.3.4. The issue is a timing-attack vulnerability caused by a character-by-character string comparison of configured BASIC_AUTH_LOGIN/BASIC_AUTH_PASSWORD against user input, which may allow an attacker within a l...

Security update for axel (moderate)

openSUSE Security Update: Security update for axel Announcement ID: openSUSE-SU-2020:0778-1 Rating: moderate References: 1172159 Cross-References: CVE-2020-13614 Affected Products: openSUSE Leap 15.1 An update that fixes one vulnerability is now available. Description: This update for axel fixes...

ambition-edc (>=0.3.68 <=0.3.72), caluma (>=5.2.1 <=5.6.0) +35 more potentially affected by CVE-2020-13596 via django (>=2.2.0 <=2.2.12)

django PYPI version =2.2.0, =0.3.68, =5.2.1, =0.1.0, =0.0.1, =0.0.1, =0.3.0a0, =0.0.1, =0.0.1, =0.0.26 and more Source cves: CVE-2020-13596 Source advisory: OSV:GHSA-2M34-JCJV-45XF...

ambition-edc (>=0.3.68 <=0.3.72), caluma (>=5.2.1 <=5.3.1) +28 more potentially affected by CVE-2020-9402 via django (>=2.2.0 <=2.2.10)

django PYPI version =2.2.0, =0.3.68, =5.2.1, =0.1.0, =0.0.1, =0.0.1, =0.0.1, =0.0.26 - django-smorest =0.1.3 - djangorestframework-simplejwt-captcha =1.1.4 - djpub =0.0.1 and more Source cves: CVE-2020-9402 Source advisory: OSV:PYSEC-2020-36...

DEBIAN-CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service ReDoS attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking...

django-aesfield (=3.0.0), django-autoconfig (=0.8.0) +11 more potentially affected by CVE-2019-14235 via django (>=2.1.0 <=2.1.10)

django PYPI version =2.1.0, =0.1.0, =0.1.0, =0.3.0, =1.7.3, =0.0.3, =1.1.0, =0.1.2, =1.0.0rc2, =0.1.0, =0.2.0.dev2 Source cves: CVE-2019-14235 Source advisory: OSV:GHSA-V9QG-3J8P-R63V...

@blitzbank/dashboard (>=0.0.1 <=0.0.2), @coinmesh/lnd-adapter (>=0.0.1 <=0.2.12) +15 more potentially affected by unknown CVE via express-basic-auth (>=0.1.3 <=1.1.6)

express-basic-auth NPM version =0.1.3, =0.0.1, =0.0.1, =2.0.0, =1.0.0, =0.1.5, =3.0.0, =1.0.1, =1.0.0, =0.1.5, =0.0.1, =1.0.0, =0.1.0, =2.0.0, =36.1.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-C35V-QWQG-87JC...

express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison

Versions of express-basic-auth prior to 1.1.7 are vulnerable to Timing Attacks. The package uses native string comparison instead of a constant time string comparison, which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the...

GHSA-C35V-QWQG-87JC express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison

Versions of express-basic-auth prior to 1.1.7 are vulnerable to Timing Attacks. The package uses native string comparison instead of a constant time string comparison, which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing the...

Timing Attack

Overview Versions of express-basic-auth prior to 1.2.0 are vulnerable to Timing Attacks. The package uses nating string comparison instead of a constant time string compare which may lead to Timing Attacks. Timing Attacks can be used to increase the efficiency of brute-force attacks by removing t...

ALPINE-CVE-2019-3500

aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Authentication username and password in a file, which might allow local users to obtain sensitive information by reading this file...

Design/Logic Flaw

In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery...

CVE-2018-11746

CVE-2018-11746 affects Puppet Discovery prior to 1.2.0. When running against Windows, WinRM connections can fall back to basic auth over insecure channels if a HTTPS server is unavailable, exposing login credentials used by Puppet Discovery. The issue is specific to that context; upgrading to ver...

CVE-2018-11746 Puppet Discovery can leak authentication information

In Puppet Discovery prior to 1.2.0, when running Discovery against Windows hosts, WinRM connections can fall back to using basic auth over insecure channels if a HTTPS server is not available. This can expose the login credentials being used by Puppet Discovery...