96 matches found
EUVD-2025-4683
Malicious code in bioql PyPI...
Capability-Based Multi-Tenant Access Management in Crowdsourced Drone Services
We propose a capability-based access control method that leverages OAuth 2.0 and Verifiable Credentials VCs to share resources in crowdsourced drone services. VCs securely encode claims about entities, offering flexibility. However, standardized protocols for VCs are lacking, limiting their...
CVE-2025-26620
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
GHSA-QXJ7-2X7W-3MPP Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other...
Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Summary Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protocol parameters can return access tokens obtained with the wrong scope, resource indicator, or other...
CVE-2025-26620
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
CVE-2025-26620 Duende.AccessTokenManagement race condition when concurrently retrieving customized Client Credentials Access Tokens
Duende.AccessTokenManagement is a set of .NET libraries that manage OAuth and OpenId Connect access tokens. Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token using differing protoco...
PT-2025-7217 · Duende · Duende.Accesstokenmanagement
Name of the Vulnerable Software and Affected Versions: Duende.AccessTokenManagement affected versions not specified Description: Duende.AccessTokenManagement contains a race condition when requesting access tokens using the client credentials flow. Concurrent requests to obtain an access token...
Improper Authorization
Overview authentik-client is an authentik Affected versions of this package are vulnerable to Improper Authorization due to insufficient validation of the OAuth grants clientcredentials or devicecode. An attacker can obtain a token with unauthorized scopes. Remediation Upgrade authentik-client to...
PT-2024-35153
Name of the Vulnerable Software and Affected Versions authentik versions prior to 2024.8.5 authentik versions prior to 2024.10.3 Description The issue allows an attacker to obtain a token with scopes that haven't been configured in authentik when using the client credentials or device code OAuth...
authentik 授权问题漏洞
authentik is an open source identity provisioning application from authentik Open Source. An authorization issue vulnerability exists in authentik that stems from when clientcredentials or devicecodeOAuth authorization is used, resulting in an attacker obtaining a token from Authentik...
SUSE-SU-2024:1486-2 Security update for cosign
This update for cosign fixes the following issues: - CVE-2024-29902: Fixed denial of service on host machine via remote image with a malicious attachments bsc1222835 - CVE-2024-29903: Fixed denial of service on host machine via malicious software artifacts bsc1222837 Other fixes: - Updated to 2.2...
SUSE-SU-2024:1486-1 Security update for cosign
This update for cosign fixes the following issues: - CVE-2024-29902: Fixed denial of service on host machine via remote image with a malicious attachments bsc1222835 - CVE-2024-29903: Fixed denial of service on host machine via malicious software artifacts bsc1222837 Other fixes: - Updated to 2.2...
Malicious code in resume-sourcing-nodejs-client-credentials (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 63bf870804a0bc378ff856c7e19723430ff40b603bebd5c485f101b20ae69e12 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
keycloak: Client Registration endpoint does not check token revocation
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information...
keycloak: Client Registration endpoint does not check token revocation
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information...
keycloak: Client Registration endpoint does not check token revocation
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information...
SUSE CVE-2019-3800
CF CLI version prior to v6.45.0 bosh release version 1.16.0 writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the...