CVE-2021-39890

It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above...

Authentication flaw

It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above...

UBUNTU-CVE-2021-39890

It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above...

CVE-2021-39890

CVE-2021-39890 affects GitLab 14.1.1 and later and allows bypassing 2FA for LDAP users and accessing certain pages via Basic Authentication. The connected documents confirm the issue and affected product/version, but do not provide a detailed root-cause description or patch-level remediation with...

CVE-2021-39890

It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above...

CVE-2021-39890

Removed by vendor...

PT-2021-22737 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions 14.1.1 and above Description: The issue allows bypassing 2FA for LDAP users and accessing specific pages using Basic Authentication. Recommendations: For GitLab versions 14.1.1 and above, at the moment, there is no information...

Basic Authentication Detected

The scanner detected the presence of a web page protected by a 'Basic' authentication. No source data...

Basic Authentication Bruteforced

The scanner successfully authenticated on the target web application by using weak credentials in the request basic authentication HTTP header. No source data...

LiquidFiles 3.5.13 Privilege Escalation Vulnerability

=============================================================================== title: LiquidFiles Privilege Escalation product: LiquidFiles v3.5.13 vulnerability type: Privilege Escalation severity: Medium CVSSv3 score: 6.7 CVSSv3 vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L found: 2021-10-29 by:...

python: urllib: Regular expression DoS in AbstractBasicAuthHandler

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client such as web browser connects to, could trigger a Regular Expression Denial of Service ReDOS during an authentication request with a specially crafted payload that is sen...

CVE-2021-42763

Couchbase Server before 6.6.3 and 7.x before 7.0.2 stores Sensitive Information in Cleartext. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI query workbench etc to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request,...

python: urllib: Regular expression DoS in AbstractBasicAuthHandler

There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client such as web browser connects to, could trigger a Regular Expression Denial of Service ReDOS during an authentication request with a specially crafted payload that is sen...

Couchbase Server 加密问题漏洞

Couchbase Server is a distributed, open source NoSQL non-relational database from Couchbase, Inc. that primarily supports data querying, full-text searching, and active global replication. A cryptographic issue vulnerability exists in Couchbase Server, which stems from the inclusion of plaintext...

A Guide to Shift Away from Legacy Authentication Protocols in Microsoft 365

Microsoft 365 M365, formerly called Office 365 O365, is Microsoft's cloud strategy flagship product with major changes ahead, such as the deprecation of their legacy authentication protocols. Often stored on or saved to the device, Basic Authentication protocols rely on sending usernames and...

Experts Warn of Unprotected Prometheus Endpoints Exposing Sensitive Information

A large-scale unauthenticated scraping of publicly available and non-secured endpoints from older versions of Prometheus event monitoring and alerting solution could be leveraged to inadvertently leak sensitive information, according to the latest research. "Due to the fact that authentication an...

The vulnerability of the aaugustin communication protocol’s websockets in the Python programming language arises from information leaks due to temporal discrepancies. This allows attackers to gain access to confidential data.

The vulnerability of the aaugustin communication protocol’s websockets in the Python programming language is related to an error that occurs when basic authentication using basicauthprotocolfactorycredentials=... is enabled. Exploiting this vulnerability can allow a remote attacker to gain access...

GitLab 授权问题漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, CI/CD continuous integration and continuous delivery, and other features. An authorization issue vulnerability exists in GitLab EE, which can be exploit...

Basic auth bypass in esphome

Impact Anyone with webserver enabled and HTTP basic auth configured on 2021.9.1 or older webserver allows OTA update without checking user defined basic auth username & password Patches Patch released in 2021.9.2 Workarounds Disable/remove webserver...

CVE-2021-41104

ESPHome is a system to control the ESP8266/ESP32. Anyone with webserver enabled and HTTP basic auth configured on version 2021.9.1 or older is vulnerable to an issue in which webserver allows over-the-air OTA updates without checking user defined basic auth username & password. This issue is...