Lucene search
K

534 matches found

Prion
Prion
added 2020/04/06 5:15 p.m.14 views

Design/Logic Flaw

In Hydra an OAuth2 Server and OpenID Certified™ OpenID Connect Provider written in Go, before version 1.4.0+oryOS.17, when using client authentication method 'privatekeyjwt' 1, OpenId specification says the following about assertion jti: "A unique identifier for the token, which can be used to...

3.5CVSS5.3AI score0.01028EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2020/04/06 12:0 a.m.8 views

PT-2020-18389 · Ory · Hydra

Name of the Vulnerable Software and Affected Versions: Hydra versions prior to 1.4.0+oryOS.17 Description: The issue concerns Hydra, an OAuth2 Server and OpenID Certified OpenID Connect Provider written in Go. When using the client authentication method 'private key jwt', Hydra does not check the...

5.8CVSS7.3AI score0.01028EPSS
Exploits0References10
RedHat Linux
RedHat Linux
added 2020/02/25 3:56 p.m.4 views

nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string

An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication...

7.5CVSS7.3AI score0.20457EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2020/02/25 8:39 a.m.5 views

nodejs: Remotely trigger an assertion on a TLS server with a malformed certificate string

An encoding error flaw exists in the Node.js code that is used to read a peer certificate in the TLS client authentication. An attacker can use this flaw to crash the process used to handle TLS client authentication...

7.5CVSS7.3AI score0.20457EPSS
Exploits1References5
Elastic
Elastic
added 2019/12/02 4:39 p.m.6 views

Elastic Stack 7.5.0 security update

Metricbeat and Filebeat DSA public key panic ESA-2019-15 A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement Beats. If Metricbeat or Filebeat are configured to accept incoming TLS connections with client authentication enabled, a...

7.5CVSS9.6AI score0.04693EPSS
Exploits1
CNVD
CNVD
added 2019/11/21 12:0 a.m.2 views

IBM Cloud Pak System Client Authentication Vulnerability

IBM Cloud Pak System is a full-stack, converged infrastructure with configurable, pre-integrated software from IBM USA. The product supports deploying, managing and moving application environments across hybrid clouds. A security vulnerability exists in IBM Cloud Pak System version V2.3.0. An...

6.7AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2019/10/09 10:51 p.m.29 views

CVE-2018-10923

It was found that the "mknod" call derived from mknod2 can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read data from any device attached to the glusterfs server node. Mitigation To limit exposure of glust...

8.1CVSS2.6AI score0.01672EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2019/08/12 12:0 a.m.18 views

NewStart CGSL MAIN 4.05 : nss Vulnerability (NS-SA-2019-0112)

The remote NewStart CGSL host, running version MAIN 4.05, has nss packages installed that are affected by a vulnerability: - A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an...

7.5CVSS8.6AI score0.03153EPSS
Exploits0References2
OSV
OSV
added 2019/05/03 3:29 p.m.3 views

CVE-2019-1590

A vulnerability in the Transport Layer Security TLS certificate validation functionality of Cisco Nexus 9000 Series Application Centric Infrastructure ACI Mode Switch Software could allow an unauthenticated, remote attacker to perform insecure TLS client authentication on an affected device. The...

8.1CVSS7.3AI score0.0098EPSS
Exploits0References1
Microsoft KB
Microsoft KB
added 2019/03/12 12:0 a.m.7 views

October 18, 2018—KB4462932 (OS Build 16299.755)

October 18, 2018—KB4462932 OS Build 16299.755 Improvements and fixes This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Addresses the redenomination of local currency that the Central Bank of Venezuela implemented ...

6.9AI score
Exploits0
OSV
OSV
added 2019/02/27 12:29 a.m.5 views

CVE-2019-7006

Avaya one-X Communicator uses weak cryptographic algorithms in the client authentication component that could allow a local attacker to decrypt sensitive information. Affected versions include all 6.2.x versions prior to 6.2 SP13...

5.5CVSS6.4AI score
Exploits0References3
CVE
CVE
added 2019/02/27 12:0 a.m.37 views

CVE-2019-7006

This CVE affects Avaya one-X Communicator where the vulnerability resides in the client authentication component, using weak cryptographic algorithms. The issue could allow a local attacker to decrypt sensitive information. Affected versions are all 6.2.x prior to 6.2 SP13; remediation is to upgr...

6.5CVSS5.5AI score0.0028EPSS
Exploits0References3Affected Software1
Hacker One
Hacker One
added 2019/01/16 12:58 p.m.54 views

Open-Xchange: Username restriction bypass with SSL client authentication

Summary: Dovecot supports enforcing the login user name to be the one encoded in the SSL client certificate, thus restricting the username. Using SSL certificates that do not even contain the relevant field bypasses this restriction, maybe leading to full login bypass under some luckily rare...

4.9CVSS0.1AI score0.02462EPSS
Exploits1
Veracode
Veracode
added 2019/01/15 9:19 a.m.20 views

Denial Of Service (DoS)

nss is vulnerable to denial of service. A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with t...

7.5CVSS8.7AI score0.03153EPSS
Exploits0References14Affected Software1
BDU FSTEC
BDU FSTEC
added 2019/01/15 12:0 a.m.6 views

The vulnerability of Cisco IOS and Cisco IOS XE operating systems that use TACACS+ client authentication allows attackers to induce a service failure.

The vulnerability of Cisco IOS and Cisco IOS XE operating systems that use TACACS+ client authentication is related to errors in processing TACACS+ response packets. Exploiting this vulnerability can allow a malicious actor to trigger a device reboot and a service failure...

6.8CVSS6.7AI score0.02063EPSS
Exploits0References3
OSV
OSV
added 2018/09/10 5:29 p.m.3 views

DEBIAN-CVE-2018-12608

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root...

7.5CVSS7.5AI score0.0092EPSS
Exploits0References1
Cvelist
Cvelist
added 2018/09/10 5:0 p.m.38 views

CVE-2018-12608

An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root...

7.4AI score0.0092EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2018/07/11 7:29 p.m.21 views

Security Bulletin: IBM® Db2® is vulnerable to an unauthorized command that allows the database to be activated when authentication type is CLIENT (CVE-2017-1520)

Summary For a CLIENT authentication type, a user without proper authority can activate database. The database becomes activated, but requires authentication to proceed further. This does not allow unauthorized access to the database. This issue applies to the application side. Vulnerability Detai...

4.3CVSS0.5AI score0.01305EPSS
Exploits0Affected Software1
OpenVAS
OpenVAS
added 2018/06/12 12:0 a.m.40 views

Microsoft Windows: Network security: LAN Manager authentication level

This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: - Send ...

7.6AI score
Exploits0References5
Cisco
Cisco
added 2018/05/02 4:0 p.m.48 views

Cisco Wireless LAN Controller and Aironet Access Points IOS WebAuth Client Authentication Bypass Vulnerability

A vulnerability in Web Authentication WebAuth clients for the Cisco Wireless LAN Controller WLC and Aironet Access Points running Cisco IOS Software could allow an unauthenticated, adjacent attacker to bypass authentication and pass traffic. The vulnerability is due to incorrect implementation of...

4.7CVSS1.4AI score0.00947EPSS
Exploits0References1
Rows per page
Query Builder