Lucene search
K

39 matches found

OSV
OSV
added 2026/07/02 5:17 p.m.6 views

UBUNTU-CVE-2026-54887

Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl DTLS server allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtlsserverconnection:initialhello/3 initializes previouscookiesecret to the empty...

6.3CVSS6AI score0.00243EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/07/02 4:6 p.m.8 views

CVE-2026-54887

Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl DTLS server allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtlsserverconnection:initialhello/3 initializes previouscookiesecret to the empty...

6.3CVSS5.8AI score0.00243EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/07/02 4:6 p.m.8 views

EUVD-2026-41411

Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl DTLS server allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtlsserverconnection:initialhello/3 initializes previouscookiesecret to the empty...

6.3CVSS5.8AI score0.00243EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/07/02 4:6 p.m.12 views

CVE-2026-54887 DTLS server cookie bypass during startup window due to empty initial cookie secret

Use of Default Cryptographic Key vulnerability in Erlang/OTP ssl DTLS server allows predictable DTLS cookie computation during the startup window, enabling source address verification bypass. On DTLS server startup, dtlsserverconnection:initialhello/3 initializes previouscookiesecret to the empty...

6.3CVSS5.8AI score0.00243EPSS
Exploits0References5
SUSE CVE
SUSE CVE
added 2026/05/07 2:20 a.m.11 views

SUSE CVE-2026-40934

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

6.8CVSS5.7AI score0.00308EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/05/05 9:31 p.m.41 views

CVE-2026-40934 jupyter-server authentication cookies remain valid after password reset due to static cookie secret

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

7.6CVSS0.00308EPSS
Exploits1References1
Debian CVE
Debian CVE
added 2026/05/05 9:31 p.m.27 views

CVE-2026-40934

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

7.6CVSS5.8AI score0.00308EPSS
Exploits1
CVE
CVE
added 2026/05/05 9:31 p.m.33 views

CVE-2026-40934

CVE-2026-40934 affects Jupyter Server up to version 2.17.0, where the signing secret for authentication cookies is stored at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated on password changes. After a password reset and server restart, previously issued cookies remain c...

7.6CVSS5.8AI score0.00308EPSS
Exploits1References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/05/05 9:31 p.m.13 views

CVE-2026-40934

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

7.6CVSS5.8AI score0.00308EPSS
Exploits1
OSV
OSV
added 2026/05/05 9:31 p.m.3 views

CVE-2026-40934 jupyter-server authentication cookies remain valid after password reset due to static cookie secret

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupytercookiesecret and is never rotated when a user changes their password. After a password...

7.6CVSS6.3AI score0.00308EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/05 5:3 p.m.14 views

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to jupytercookiesecret never being automatically rotated or cleared. An attacker can keep or reuse authenticated session cookies after a password change by presenting a cookie signed with a secret tha...

7.6CVSS5.8AI score0.00308EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/05/05 5:3 p.m.11 views

Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart

Summary A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes. The cookie secret used to sign authentication cookies is stored in a permanent file /.local/share/jupyter/runtime/jupytercookiesecret that is never automatically...

7.6CVSS5.8AI score0.00308EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/05 5:3 p.m.3 views

GHSA-5MRQ-X3X5-8V8F Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart

Summary A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes. The cookie secret used to sign authentication cookies is stored in a permanent file /.local/share/jupyter/runtime/jupytercookiesecret that is never automatically...

7.6CVSS5.8AI score0.00308EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.12 views

PT-2026-37241

Name of the Vulnerable Software and Affected Versions Jupyter Server versions prior to 2.18.0 Description The secret used to sign authentication cookies is persisted to a static file at /.local/share/jupyter/runtime/jupyter cookie secret and is not rotated when a user changes their password...

7.6CVSS5.8AI score0.00308EPSS
Exploits1References15
EUVD
EUVD
added 2026/04/16 6:31 p.m.6 views

EUVD-2026-23272

A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstaxauth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03...

8.7CVSS5.8AI score0.00202EPSS
Exploits0References2
NVD
NVD
added 2026/04/16 6:16 p.m.6 views

CVE-2026-2336

A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstaxauth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03...

8.7CVSS0.00202EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/16 5:2 p.m.30 views

CVE-2026-2336 Weak webstax_auth Cookie Authentication Allows Privilege Escalation

A privilege escalation vulnerability in Microchip IStaX allows an authenticated low-privileged user to recover a shared per-device cookie secret from their own webstaxauth session cookie and forge a new cookie with administrative privileges.This issue affects IStaX before 2026.03...

8.7CVSS0.00202EPSS
Exploits0References1
OSV
OSV
added 2026/03/01 1:0 a.m.8 views

GHSA-H3H8-3V2V-RG7M Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...

5.9AI score0.00453EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/01/09 10:49 a.m.8 views

CVE-2022-37109

patrickfuller camp up to and including commit bbd53a256ed70e79bd8758080936afbf6d738767 is vulnerable to Incorrect Access Control. Access to the password.txt file is not properly restricted as it is in the root directory served by StaticFileHandler and the Tornado rule to throw a 403 error when...

9.8CVSS7.2AI score0.49201EPSS
Exploits3References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:54 a.m.8 views

CVE-2021-41192

Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the REDASHCOOKIESECRET or REDASHSECRETKEY environment variables, a default value is used for both that is the same across all installations. In such cases, th...

8.1CVSS6.8AI score0.08017EPSS
Exploits1References1
Rows per page
Query Builder