4192 matches found
Hono added timing comparison hardening in basicAuth and bearerAuth
Summary The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe. The timingSafeEqual function used normal string equality === when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the batch resource creation API endpoints when processing multi-document YAML payloads. An attacker can inject arbitrary resources into the underlying namespace of an existing project by sending specially...
MLflow Use of Default Password Authentication Bypass Vulnerability
This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the basicauth.ini file. The file contains hard-coded default credentials. An attacker can leverage...
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
DEBIAN-CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
UBUNTU-CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorization logic flaw in the HTTP Basic Authentication implementation. Successful exploitation could enable privilege escalation, potentially granting full administrative access. The CVE notes a MEDIUM base score (CVSS 4.0: 5.7) with network a...
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
CVE-2025-15581
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...
Orthanc 安全漏洞
Orthanc is a free open-source software developed by the Orthanc company. Versions of Orthanc prior to 1.12.10 contained security vulnerabilities. These vulnerabilities stemmed from defects in the implementation of HTTP basic authentication, which could lead to privilege escalation...
ClickFix added nslookup commands to its arsenal for downloading RATs
ClickFix malware campaigns are all about tricking the victim into infecting their own machine. Apparently, the criminals behind these campaigns have figured out that mshta and Powershell commands are increasingly being blocked by security software, so they have developed a new method using...
CVE-2025-71224
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: ocb: skip rxnosta when interface is not joined ieee80211ocbrxnosta assumes a valid channel context, which is only present after JOINOCB. RX may run before JOINOCB is executed, in which case the OCB interface is no...
Authentication Bypass on FastAPI Routes (Job API, OTel API) When Basic Auth Enabled
Summary When MLflow is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI, the FastAPI permission middleware only enforces authentication on /gateway/ routes. All other FastAPI routes -- including the Job API /ajax-api/3.0/jobs/ and the OpenTelemetry trace...
Authorization Bypass in SearchModelVersions Allows Any Authenticated User to Enumerate All Model Versions Regardless of Permissions
Summary MLflow's SearchModelVersions REST API endpoint GET /api/2.0/mlflow/model-versions/search and GraphQL query mlflowSearchModelVersions lack per-model authorization checks when basic auth is enabled. Any authenticated user can enumerate ALL model versions across ALL registered models,...
Authentication Bypass
org.apache.druid.extensions:druid-basic-security is vulnerable to an Authentication Bypass. The vulnerability is due to improper validation of LDAP authentication responses when anonymous binds are permitted, which allows an attacker to bypass authentication by supplying an existing username with...
Malicious code in rzr-home (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 14fb9c76cd89c8c46f6d961d450c57fcc5f454cd3ce67a53a1868ba36f66fec1 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...
php: Stream HTTP wrapper header check might omit basic auth header
A flaw was found in PHP. This vulnerability allows certain headers to be either not sent or misinterpreted due to insufficient validation of the end-of-line characters via user-supplied headers...
Missing Authentication
Overview org.apache.druid.extensions:druid-basic-security is a basic security package for Apache Druid. Affected versions of this package are vulnerable to Missing Authentication in validateCredentials for LDAP, which does not check passwords for anonymous bind requests. An attacker in possession...